Bug 530

Summary: problems with port forwarding
Product: Portable OpenSSH Reporter: Marko Zmak <gilbert>
Component: sshAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED INVALID    
Severity: normal    
Priority: P2    
Version: -current   
Hardware: ix86   
OS: FreeBSD   

Description Marko Zmak 2003-04-03 03:23:11 AEST 
Here is my problem. I'm not sure if it is a bug or a 'feature' but i don't know 
where else to ask.

From my non-root account I forwarded a remote port with ssh like this:

some_host$ ssh -R 20022:my_other_host:22 user@my_host

when I tried to connect to forwarded port from another computer, like this:

some_host$ ssh -p 20022 my_host

i got the message:

Connection refused.

When I tried to conect from the host my_host where the port was forwarded from 
like this:

my_host$ ssh -p 20022 localhost

it worked O.K. When I did it from the same my_host like this:

my_host$ ssh -p 20022 my_host

it failed again.

Forwarding of local ports form my_host works O.K. So by doing

my_host$ ssh -gL 20022:my_other_host:22 user@some_host

forwarding of port 20022 on my_host worked.

I should mention that my_host has a firewall installed, but the port 20022 was 
permitted. We tested it with putting sshd to listen on 20022:

my_host$ sshd -p 2002

and connecting to port 20022 from outside:

some_host$ ssh -p 20022

and it worked. So the firewall probably isn't the problem.

Port forwarding worked O.K. for other versions of SSH, only with OpenSSH it 
didn't.

The OS is:

FreeBSD 4.8-RELEASE #6

on:

i386 AMD Athlon(tm) Processor

The OpenSSH version is:

OpenSSH_3.5p1 FreeBSD-20030201
Comment 1 Darren Tucker 2003-04-03 18:58:55 AEST 
This is a Feature.  By default, port forwards listen only on the loopback 
interface, which means that only processes on the local machine can connect via 
the forward.  You can see this with netstat:

$ ssh -L 20022:127.0.0.1:22 myhost
myhost> netstat -an
Proto Recv-Q Send-Q Local Address      Foreign Address   State 
[snip]
tcp   0      0      127.0.0.1:20022    0.0.0.0:*         LISTEN

As you saw, using -g (or GatewayPorts=yes) allows connections on any interface.  
This is known as a "wildcard binding" and shows a different "Local Address" in 
netstat: 

$ ssh -g -L 20022:127.0.0.1:22 myhost
myhost> netstat -an
Proto Recv-Q Send-Q Local Address      Foreign Address   State 
[snip]
tcp   0      0      0.0.0.0:20022      0.0.0.0:*         LISTEN 

Using GatewayPorts means that anyone who can connect to your machines can 
connect via your tunnel, which is why it defaults to listening on the loopback 
only.  If you don't like the default you can put "GatewayPorts yes" in 
ssh_config.

If different ssh software behaved differently, perhaps it has a different 
default or the config file had the equivalent of "GatewayPorts yes" set.
Comment 2 Marko Zmak 2003-04-03 20:31:08 AEST 
This ony partialy answers my question.

I know about -g option, and it works O.K. for forwarding LOCAL port.
But I wanted to forward port 20022 on my_host as a REMOTE port by connectin to 
my_host from some_host like this:

some_host$ ssh -R 20022:my_other_host:22 user@my_host

and it works only for local connections form my_host. Since the -g option 
doesn't help here, how do I get aorund this? Thx.
Comment 3 Thomas Binder 2003-04-03 20:44:03 AEST 
> Since the -g option doesn't help here, how do I get aorund this?

Maybe by reading the docs, especially sshd_config(5)?

-- snip --
     GatewayPorts
          Specifies whether remote hosts are allowed  to  connect
          to  ports  forwarded  for the client.  By default, sshd
          binds remote port forwardings to the loopback  address.
          This  prevents  other  remote  hosts from connecting to
          forwarded ports.  GatewayPorts can be used  to  specify
          that  sshd  should  bind remote port forwardings to the
          wildcard address, thus allowing remote hosts to connect
          to  forwarded  ports.   The argument must be ``yes'' or
          ``no''.  The default is ``no''.
-- snap --
Comment 4 Darren Tucker 2003-04-03 21:09:57 AEST 
Sorry, missed that.  At the moment that's controlled by the server-side 
GatewayPorts (ie in sshd_config).  There's a patch attached to bug #413 
(attachment #229 [details]) that allows greater control over which interface a remote port 
forward listens on (subject to the server's Gatewayports setting).
Comment 5 Marko Zmak 2003-04-03 21:18:32 AEST 
> Maybe by reading the docs, especially sshd_config(5)?

This only relates to allowing connections to forwarded ports on the server 
side, but I don't have root access on the machine and cant change sshd 
configuration. I'd like to set forwarding completely on the clinet side.
Comment 6 Thomas Binder 2003-04-03 22:17:40 AEST 
> This only relates to allowing connections to forwarded ports
> on the server side, but I don't have root access on the machine

As you _are_ creating a forwarded port on the server side, this
does relate to your problem. If you can't change the remote
server's sshd_config, and can't convince the admin to change it
(he'll maybe have a reason for not allowing gateway ports), there's
nothing else you can do. It's a server option, not a client option.
Comment 7 Stephen Samuel 2003-04-04 08:19:06 AEST 
Easy solution:

ssh my_host
  (login)
myhost% ssh -g -L 44000:other_host:22
(login again)


with the second ssh, you are forwarding the LOCAL port for my_host,
using the ssh client. which is quite legal to make a server port.   Job done.

Note: the connection between myhost and other_host is NOT being 
encrypted. You are simply using ssh as a port redirection tool 
at this poing. If you're connecting to an ssh demon on other_host, 
this isn't a problem. If you're doing pretty much anything else, 
you'd probably want to do:

my_host%  ssh -g -L 44000:localhost:25   other_host

That would forward an encrypted channel to other_host that then 
connects to it's port 25 locally.
Comment 8 Marko Zmak 2003-04-04 10:04:18 AEST 
> Note: the connection between myhost and other_host is NOT being encrypted

Yea, I'm completely aware of that, and familiar with how port forwarding works.

But acctually only forwarding remote ports works for me since I want to forward 
a port from a machine I can't reach from outside regulary.

Anyway, I'm in good relations with the system root on myhost so we set

GatewayPorts yes

and restarted sshd, and it worked.

Thanks all for the info and help.