Port forwarding is a mechanism within the SSH protocol that allows a user to forward traffic from one application to another over the SSH connection. There are many reasons why a user might want to do this, for example, they may not be able to connect the application directly because it is not accessible from their current network. Or the application uses insecure or no security in its transport and so the user may want to leverage the security of the SSH connection to maintain privacy.
By default, the Maverick Synergy Java SSH Server does not enable port forwarding. If you want to allow users to use this service then you need to enable it on the users ForwardingPolicy:
server.getForwardingPolicy().allowForwarding();
This one line configuration is enough to allow a client to port forward to any host on the server’s network. It also enables remote forwarding which allows the client to forward ports from the server, however, these are limited to the servers loopback interface.
If you want to enable the client to open remote forwarding from any remote host, then you need to enable gateway forwarding.
server.getForwardingPolicy().allowGatewayForwarding();
You can control and limit the connections that can be made through port forwarding by granting access to just specific hosts/ports. By default there is no restriction, as soon as you grant one forwarding then all the forwarding will be disabled unless it’s been previously granted.
You can grant access to a single host allowing any port to be accessed:
server.getForwardingPolicy().grantForwarding("hostname");
Or you can restrict access to a specific host and port
server.getForwardingPolicy().grantForwarding("hostname:443");
You can of course use as many grantForwarding directives as you require to build up a list of permitted hosts.
At any time once granted, you can revoke the permission using:
server.getForwardingPolicy().revokeForwarding("hostname:443");