Port Forward

 

Port Forward settings work in combination with tunnelled connections further described in the following topics: Remote Desktop Connection (RDP/SSH) and Create new Tunnelled Connection and allow you to further limit who can create tunnelled connections and which ports can be used. Topic is divided into two parts, in the first one the rules and notation is explained and in the second part some practical examples are given. Please proceed to the part relevant for you:

Port Forward - Settings

The following settings are available to you in the Port Forward section:

  • Allowed connect filter - IP and port filters defined here apply to connections passing trough the remote computer. This kind of connections are made if the remote computer serves as a jumpbox for the remote network as described here: Create an SSH session using a jumpbox.
  • Allowed listen filter - IP and port filters defined here apply to connections being made to your local machine from your own local network (including your own machine connecting to itself trough localhost). This kind of connections are made if your local computer serves as a jumpbox as described here: Create a custom tunnel.
  • Rdp connection file - Specify the path to a .rdp connection configuration file that will be applied to the tunnelled session. 
  • Default rdp schema - Command which is executed when RDP tunnel is created (Create a RDP Session) and launches a RDP client that uses the tunnel. The command should only be changed if you changed the RDP configuration and the executable is no longer at its default location. 
  • Default ssh schema - Command which is executed when SSH tunnel is created (Create an SSH Session) and launches an SSH client that uses the tunnel. The command should only be changed if you changed the SSH configuration and the executable is no longer at its default location


Port forward - Filter Rules

Important: Filter rules are being applied from left to right for any new connection until one rule matches (e.g. firewall rules behave in the same way).

For security reasons it is advisable to place the deny_all rule as the last rule. In such configuration you will have to explicitly specify which IPs and which ports can be used and all other connections will be allowed. (You are whitelisting IPs and ports). 

Alternative but less secure version is to place the allow_all rule as the last rule and explicitly deny specific IPs and ports. (You are blacklisting IPs and ports).

Important: deny_all is implicitly placed at the end of any custom filter rule for security reasons. Placing allow_all option at the end overrides it.

Allowed connect filter

You can enter the following settings for Allowed connect filter:

  • deny_ip / allow_ip - deny or allow connections from remote computer, serving as a jumpbox, to other computers in its network, based on IP adressess.
    • Example: Only allow tunnel to a specific IP (172.17.118.73) and a 172.16.1.1/255.255.0.0 subnet. 
      • allow_ip 172.17.118.73; allow_ip 172.16.1.1/255.255.0.0; deny_all;
  • deny_port / allow_port- deny or allow connections from remote computer serving as a jumpbox to other computers in its network on specific ports.
    • Example: Deny all tunnelled connections except on port 22
      • allow_port 22; deny_all;
  • deny_all / allow_all - deny or allow all connections being made trough the remote computer.


Allowed listen filter

You can enter the following settings for Allowed listen filter:

  • deny_ip / allow_ip - deny or allow connections to your computer based on IP adresses. 
    • Example: Only allow computers from 172.16.1.1/255.255.0.0 subnet to connect to your computer and use the tunnel. 
      • allow_ip 172.17.118.73; allow_ip 172.16.1.1/255.255.0.0; deny_all;
  • deny_port / allow_port -  deny or allow connections to your computer on specified ports. 
    • Example: Deny all connections to your machine except on port 22.
      • allow_port 22; deny_all;
  • deny_remote_ip / allow_remote_ip - prevent the tunnel being made to specific IP addresses inside the network of the remote computer.
    • Example: Allow SSH tunnel to a single specific computer inside the network of the remote computer
      • allow_remote_ip 172.16.1.17; allow_remote_port 22; deny_all;
    • Note: deny_remote_ip entered in the Allowed listen filter and deny_ip entered in the Allowed connect filter perform a similar function - prevent the connection being made to a specific IP in the network of the remote computer. However deny_remote_ip is evaluated when tunnel is created and deny_ip is evaluated once a connection is made to the tunnel. This means that if you use deny_remote_ip and try to create a tunnel to a banned IP the tunnel will not be created at all, however if you use the deny_ip option the tunnel is created but the connection is refused.
  • deny_remote_port / allow_remote_port -  prevent the tunnel being made to devices inside the network of the remote computer on specific ports.
    • Example: Allow SSH tunnel to a single specific computer inside the network of the remote computer
      • allow_remote_ip 172.16.1.17; allow_remote_port 22; deny_all;
    • Note: deny_remote_port entered in the Allowed listen filter and deny_port entered in the Allowed connect filter perform a similar function - prevent the connection being made to a specific port in the network of the remote computer. However deny_remote_port is evaluated when tunnel is created and deny_port is evaluated once a connection is made to the tunnel. This means that if you use deny_remote_port and try to create a tunnel to a banned port the tunnel will not be created at all, however if you use the deny_port option the tunnel is created but the connection is refused.
  • deny_all / allow_all - deny or allow all connections passing trough the remote computer.


Port Forward - Examples

A few configuration examples are provided bellow, please refer to the one most relevant for your situation:


Allow SSH connection only from your to remote computer (1:1 connection, neither computer serves as jumbox).

Option 1:

Allowed connect filter:

allow_port 22; deny_all;

Allowed listen filter:

allow_ip 127.0.0.1; deny_all;

Option 2:

Allowed connect filter:

deny_all;

Allowed listen filter:

allow_remote_port 22; allow_ip 127.0.0.1; deny_all;


Allow SSH and RDP connection only from your to remote computer (1:1 connection, neither computer serves as jumbox).

Option 1:

Allowed connect filter:

allow_port 22; allow_port 3389; deny_all;

Allowed listen filter:

allow_ip 127.0.0.1; deny_all;

Option 2:

Allowed connect filter:

deny_all;

Allowed listen filter:

allow_remote_port 22; allow_remote_port 3389; deny_all;
Tags: settings, port forward, filter rules, examples

Was this article helpful?