# SSH - Expected behaviour while doing RemoteForward ?



## s2r (Dec 27, 2022)

What's the expected behaviour while setting up a RemoteForward port while creating a tunnel?

In a jumpbox I've set up a tunnel with the following settings. It forwards remote bound localhost port 26022 to my internal freebsd server.

```
Host remote.vps
   HostName remote.vps
   User tunnel
   Port 6022
   IdentityFile /var/tunnel/.ssh/xxxx
   RemoteForward 127.0.0.1:26022 freebsd.local:22222
   RemoteForward 127.0.0.1:46022 localhost:22

   ServerAliveInterval 60
   ExitOnForwardFailure yes
```

Don't ask me why but I had the port 26022 unfiltered in the vps firewall however_ I don't understand why would those ssh connections still arrive to my internal server if it was bound to localhost_.
Off course after removing that port from allowed external ports in PF the incoming connections stopped.

This are the ports in the vps, bindind to 127.0.0.1 still listens to * ?

```
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0      0 *.26022                *.*                    LISTEN
tcp4       0      0 *.46022                *.*                    LISTEN
```

This is the log on the freebsd server.

```
Dec 25 13:00:00 freebsd newsyslog[22462]: logfile turned over due to size>1000K
Dec 25 13:00:15 freebsd sshd[22497]: Invalid user ioshib from 10.20.10.14 port 47658
Dec 25 13:00:15 freebsd sshd[22497]: Received disconnect from 10.20.10.14 port 47658:11: Normal Shutdown, Thank you for playing [preauth]
Dec 25 13:00:15 freebsd sshd[22497]: Disconnected from invalid user ioshib 10.20.10.14 port 47658 [preauth]
Dec 25 13:00:34 freebsd sshd[22499]: Invalid user castis from 10.20.10.14 port 36468
Dec 25 13:00:34 freebsd sshd[22499]: Received disconnect from 10.20.10.14 port 36468:11: Normal Shutdown, Thank you for playing [preauth]
Dec 25 13:00:34 freebsd sshd[22499]: Disconnected from invalid user castis 10.20.10.14 port 36468 [preauth]
Dec 25 13:00:53 freebsd sshd[22514]: Invalid user arrb from 10.20.10.14 port 33404
Dec 25 13:00:53 freebsd sshd[22514]: Received disconnect from 10.20.10.14 port 33404:11: Normal Shutdown, Thank you for playing [preauth]
Dec 25 13:00:53 freebsd sshd[22514]: Disconnected from invalid user arrb 10.20.10.14 port 33404 [preauth]
Dec 25 13:01:12 freebsd sshd[22516]: Invalid user odoo from 10.20.10.14 port 36462
Dec 25 13:01:12 freebsd sshd[22516]: Received disconnect from 10.20.10.14 port 36462:11: Normal Shutdown, Thank you for playing [preauth]
Dec 25 13:01:12 freebsd sshd[22516]: Disconnected from invalid user odoo 10.20.10.14 port 36462 [preauth]
Dec 25 13:01:31 freebsd sshd[22520]: Invalid user test from 10.20.10.14 port 41546
Dec 25 13:01:31 freebsd sshd[22520]: Received disconnect from 10.20.10.14 port 41546:11: Normal Shutdown, Thank you for playing [preauth]
Dec 25 13:01:31 freebsd sshd[22520]: Disconnected from invalid user test 10.20.10.14 port 41546 [preauth]
Dec 25 13:01:50 freebsd sshd[22533]: Invalid user smd from 10.20.10.14 port 52466
Dec 25 13:01:50 freebsd sshd[22533]: Received disconnect from 10.20.10.14 port 52466:11: Normal Shutdown, Thank you for playing [preauth]
Dec 25 13:01:50 freebsd sshd[22533]: Disconnected from invalid user smd 10.20.10.14 port 52466 [preauth]
Dec 25 13:02:09 freebsd sshd[22537]: Invalid user brk from 10.20.10.14 port 51134
Dec 25 13:02:09 freebsd sshd[22537]: Received disconnect from 10.20.10.14 port 51134:11: Normal Shutdown, Thank you for playing [preauth]
Dec 25 13:02:09 freebsd sshd[22537]: Disconnected from invalid user brk 10.20.10.14 port 51134 [preauth]
Dec 25 13:02:29 freebsd sshd[22550]: Received disconnect from 10.20.10.14 port 50220:11: Normal Shutdown, Thank you for playing [preauth]
Dec 25 13:02:29 freebsd sshd[22550]: Disconnected from authenticating user root 10.20.10.14 port 50220 [preauth]
Dec 25 13:02:47 freebsd sshd[22552]: Invalid user glassfish from 10.20.10.14 port 39798
Dec 25 13:02:47 freebsd sshd[22552]: Received disconnect from 10.20.10.14 port 39798:11: Normal Shutdown, Thank you for playing [preauth]
Dec 25 13:02:47 freebsd sshd[22552]: Disconnected from invalid user glassfish 10.20.10.14 port 39798 [preauth]
Dec 25 13:03:07 freebsd sshd[22556]: Invalid user wasadrc from 10.20.10.14 port 49034
Dec 25 13:03:07 freebsd sshd[22556]: Received disconnect from 10.20.10.14 port 49034:11: Normal Shutdown, Thank you for playing [preauth]
Dec 25 13:03:07 freebsd sshd[22556]: Disconnected from invalid user wasadrc 10.20.10.14 port 49034 [preauth]
Dec 25 13:03:26 freebsd sshd[22569]: Invalid user cn from 10.20.10.14 port 59058
Dec 25 13:03:26 freebsd sshd[22569]: Received disconnect from 10.20.10.14 port 59058:11: Normal Shutdown, Thank you for playing [preauth]
Dec 25 13:03:26 freebsd sshd[22569]: Disconnected from invalid user cn 10.20.10.14 port 59058 [preauth]
Dec 25 13:03:47 freebsd sshd[22573]: Invalid user melev from 10.20.10.14 port 40784
Dec 25 13:03:47 freebsd sshd[22573]: Received disconnect from 10.20.10.14 port 40784:11: Normal Shutdown, Thank you for playing [preauth]
Dec 25 13:03:47 freebsd sshd[22573]: Disconnected from invalid user melev 10.20.10.14 port 40784 [preauth]
Dec 25 13:04:04 freebsd sshd[22586]: Invalid user nou from 10.20.10.14 port 35034
Dec 25 13:04:05 freebsd sshd[22586]: Received disconnect from 10.20.10.14 port 35034:11: Normal Shutdown, Thank you for playing [preauth]
Dec 25 13:04:05 freebsd sshd[22586]: Disconnected from invalid user nou 10.20.10.14 port 35034 [preauth]
Dec 25 13:04:24 freebsd sshd[22590]: Invalid user user from 10.20.10.14 port 34298
Dec 25 13:04:24 freebsd sshd[22590]: Received disconnect from 10.20.10.14 port 34298:11: Normal Shutdown, Thank you for playing [preauth]
Dec 25 13:04:24 freebsd sshd[22590]: Disconnected from invalid user user 10.20.10.14 port 34298 [preauth]
```


----------



## covacat (Dec 27, 2022)

what if you remove 127.0.0.1 from the RemoteForward line ?


----------



## s2r (Dec 27, 2022)

covacat said:


> what if you remove 127.0.0.1 from the RemoteForward line ?



Changed in the tunnel set up.


```
RemoteForward 26022 freebsd.local:22222
   RemoteForward 127.0.0.1:46022 localhost:22
```


```
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0      0 *.46022                *.*                    LISTEN
tcp4       0      0 *.26022                *.*                    LISTEN
```

Same result.


----------



## covacat (Dec 27, 2022)

it works as expected for me with stock ssh/sshd on both boxes
do you have
*GatewayPorts* set to YES  on remote host?


----------



## s2r (Dec 28, 2022)

covacat said:


> it works as expected for me with stock ssh/sshd on both boxes
> do you have
> *GatewayPorts* set to YES  on remote host?


Yes.


----------



## covacat (Dec 28, 2022)

set it to 
clientspecified instead of yes


----------



## s2r (Dec 28, 2022)

s2r said:


> Yes.


I set it to no (default value)
And now it works as expected. In all of the port forwarding tutorials I read got that option (GatewayPorts -> YES) set.


```
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0      0 127.0.0.1.46022        *.*                    LISTEN
tcp4       0      0 127.0.0.1.26022        *.*                    LISTEN
```

*GatewayPorts*
Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, *sshd*(8) binds remote port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. *GatewayPorts* can be used to specify that sshd should allow remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to connect. The argument may be ''no'' to force remote port forwardings to be available to the local host only, ''yes'' to force remote port forwardings to bind to the wildcard address, or ''clientspecified'' to allow the client to select the address to which the forwarding is bound. The default is ''no''.


----------

