openssh unix dev - Oct 2002 - [Bug 413] New: Port forwarding: [localhost:]localport:remotehost:remoteport

http://bugzilla.mindrot.org/show_bug.cgi?id=413

           Summary: Port forwarding:
                    [localhost:]localport:remotehost:remoteport
           Product: Portable OpenSSH
           Version: older versions
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: ssh
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: rafal.mantiuk at bellstream.pl


At the moment ssh port forwarding can open socket for listenning only on a 
localhost or all interfaces (-g option). In case of multi-IP servers it would 
we useful if there was a way to specify exactly what interfaces/IPs ssh 
forwarding should bind to. The command line could be like:

ssh -L [localhost:]localport:remotehost:remoteport login at host

where [] - indicates optional parameter. localhost is the interface to be used 
for openning a socket (i.e. <localhost> should be passed as a
'node' parameter
to getaddrinfo() in channel.c:channel_setup_fwd_listener). The other parameters 
are the same as in the current ssh implementation.

For example:
ssh -N -L 192.168.0.2:139:somehost:139
could be used to forward Samba packets only on the interface 192.168.0.2. 
Another interface on the same server - e.g. 192.168.0.1 - could be used to host 
local samba server.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

Hi,

I would be glad if a feature/enhancement like this would be available. For more
than one time it would have saved me lots of time and headache.

E.g. the following scenario:

One a web server with 2 external IP where both VH are listening on Port 80 (and
this could not be changed) the requests for one of them should be temporarily
routed to another server. With port forwarding for Port 80 this is not possible
as PF on port 80 is done for both/all IP on port 80.

This is just one scenario and I think a feature as requested would not only be
an enhancement regarding security issues.


Kind regards,

B. Courtin


P.S.: 

As far as I understand PF, port forwarding always is done for/on all local IP,
the option "-g" only allows remote hosts to connect to these forwarded
ports.

--
     -g   Allows remote  hosts  to  connect  to  local  forwarded
          ports.
--


> -----Original Message-----
> From: bugzilla-daemon at mindrot.org [mailto:bugzilla-daemon at
mindrot.org]
> Sent: Friday, October 11, 2002 10:00 AM
> To: openssh-unix-dev at mindrot.org
> Subject: [Bug 413] New: Port forwarding:
> [localhost:]localport:remotehost:remoteport
> 
> 
> http://bugzilla.mindrot.org/show_bug.cgi?id=413
> 
>            Summary: Port forwarding:
>                     [localhost:]localport:remotehost:remoteport
>            Product: Portable OpenSSH
>            Version: older versions
>           Platform: All
>         OS/Version: All
>             Status: NEW
>           Severity: enhancement
>           Priority: P2
>          Component: ssh
>         AssignedTo: openssh-unix-dev at mindrot.org
>         ReportedBy: rafal.mantiuk at bellstream.pl
> 
> 
> At the moment ssh port forwarding can open socket for 
> listenning only on a 
> localhost or all interfaces (-g option). In case of multi-IP 
> servers it would 
> we useful if there was a way to specify exactly what 
> interfaces/IPs ssh 
> forwarding should bind to. The command line could be like:
> 
> ssh -L [localhost:]localport:remotehost:remoteport login at host
> 
> where [] - indicates optional parameter. localhost is the 
> interface to be used 
> for openning a socket (i.e. <localhost> should be passed as a 
> 'node' parameter 
> to getaddrinfo() in channel.c:channel_setup_fwd_listener). 
> The other parameters 
> are the same as in the current ssh implementation.
> 
> For example:
> ssh -N -L 192.168.0.2:139:somehost:139
> could be used to forward Samba packets only on the interface 
> 192.168.0.2. 
> Another interface on the same server - e.g. 192.168.0.1 - 
> could be used to host 
> local samba server.
> 
> 
> 
> ------- You are receiving this mail because: -------
> You are the assignee for the bug, or are watching the assignee.
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>

Hi Dan,

first of all thank you for picking up this thread :-)

Secondly, I would've probably helped getting this working/integrated in the
current code, but unfortunately I do speak some programming languages but
"C/C++".

So, I greatly would appreciate if someone has the time & ability to
implement a feature as described. As one can think of, it would be - from my
point of view - last but not least an contribution regarding security when using
port forwarding.


Kind regards,

B. Courtin
> -----Original Message-----
> From: Dan Astoorian [mailto:djast at cs.toronto.edu]
> Sent: Thursday, October 17, 2002 6:24 PM
> To: openssh-unix-dev at mindrot.org
> Subject: Re: [Bug 413] New: Port forwarding:
> [localhost:]localport:remotehost:remoteport 
> 
> 
> On Thu, 17 Oct 2002 04:06:08 EDT, "Courtin Bert" writes:
> > Hi,
> > 
> > I would be glad if a feature/enhancement like this would be 
> available. 
> > For more than one time it would have saved me lots of time 
> and headache.
> 
> FWIW, I wrote a patch that did this a while ago (the last 
> update I made
> to it applied to a snapshot from early February), but there 
> was never a
> good opportunity to get it integrated.  Enough code has changed since
> then that updating my patch may not be completely straightforward, but
> I'll try to find some time to take another look at it.
> 
> Unfortunately, my plate is still rather full, so I can't make any
> promises; if someone else is particularly keen to implement this
> feature, I'd be willing to share my obsolete patch for them to work
> from.
> 
> -- 
> Dan Astoorian               People shouldn't think that it's 
> better to have
> Sysadmin, CSLab             loved and lost than never loved 
> at all.  It's
> djast at cs.toronto.edu        not, it's better to have loved 
> and won.  All
> www.cs.toronto.edu/~djast/  the other options really suck.    
> --Dan Redican
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>