[GH-ISSUE #300] Ssh port forwarding? #73

New issue

Open

opened 2026-05-07 00:18:26 +02:00 by BreizhHardware · 3 comments

BreizhHardware commented

2026-05-07 00:18:26 +02:00

Owner

Originally created by @fzyzcjy on GitHub (Apr 13, 2022).
Original GitHub issue: https://github.com/ovh/the-bastion/issues/300

Hi thanks for the project! I wonder whether ssh port forwarding is supported? For example, suppose there is an application in the private network using port 1234, and I want to communicate with that port directly at my local development machine. If the bastion is a normal server, I can use ssh port forward like ssh the-bastion -L 1234:some-ip:1234 and happily access localhost:1234 in my development machine.

Originally created by @fzyzcjy on GitHub (Apr 13, 2022). Original GitHub issue: https://github.com/ovh/the-bastion/issues/300 Hi thanks for the project! I wonder whether ssh port forwarding is supported? For example, suppose there is an application in the private network using port 1234, and I want to communicate with that port *directly* at my local development machine. If the bastion is a normal server, I can use ssh port forward like `ssh the-bastion -L 1234:some-ip:1234` and happily access `localhost:1234` in my development machine.

BreizhHardware commented

2026-05-07 00:18:27 +02:00

Author

Owner

@speed47 commented on GitHub (Jun 24, 2022):

Hey @fzyzcjy , actually ssh port forwarding is explicitly disabled on the bastion, because it could be used as a way to bypass its logic entirely and punch a hole in the traceability feature.

For example you could redirect a remote ssh port to your own machine, through the bastion, then use this tunnel to access it remotely from your machine, without using the bastion logic anymore, and the bastion wouldn't be able to see anything.

Disabling port forwarding helps asserting that the accesses are exhaustively traced on your infrastructure (closes a possible loop-hole), and as traceability is one of the main missions of the bastion, that's why it has been done this way.

@speed47 commented on GitHub (Jun 24, 2022): Hey @fzyzcjy , actually ssh port forwarding is explicitly disabled on the bastion, because it could be used as a way to bypass its logic entirely and punch a hole in the traceability feature. For example you could redirect a remote ssh port to your own machine, through the bastion, then use this tunnel to access it remotely from your machine, without using the bastion logic anymore, and the bastion wouldn't be able to see anything. Disabling port forwarding helps asserting that the accesses are exhaustively traced on your infrastructure (closes a possible loop-hole), and as traceability is one of the main missions of the bastion, that's why it has been done this way.

BreizhHardware commented

2026-05-07 00:18:27 +02:00

Author

Owner

@fzyzcjy commented on GitHub (Jun 24, 2022):

Hi thanks for your reply!

My use case is mainly accessing Kubernetes in my cluster from my own computer. So is this feasible using the bastion (without using port forwarding)?

@fzyzcjy commented on GitHub (Jun 24, 2022): Hi thanks for your reply! My use case is mainly accessing Kubernetes in my cluster from my own computer. So is this feasible using the bastion (without using port forwarding)?

BreizhHardware commented

2026-05-07 00:18:27 +02:00

Author

Owner

@shayneoneill commented on GitHub (Mar 18, 2025):

While I do get the reasoning, is there a way to say "Ok, I accept the risks, but I really need port forwarding!", or is it a feature that just isnt there?

Are there are bastion type products that feature this, if there isn't a way? I should also note that disabling it completely isn't really THAT great a protection. Theres nothing stopping someone from doing something like installing PPP or SLIP and going old school to get around..... Except that it kinda sucks.... But an attacker has a route even if the "official" channel of port forwards is cut off.

@shayneoneill commented on GitHub (Mar 18, 2025): While I do get the reasoning, is there a way to say "Ok, I accept the risks, but I really need port forwarding!", or is it a feature that just isnt there? Are there are bastion type products that feature this, if there isn't a way? I should also note that disabling it completely isn't really THAT great a protection. Theres nothing stopping someone from doing something like installing PPP or SLIP and going old school to get around..... Except that it kinda sucks.... But an attacker has a route even if the "official" channel of port forwards is cut off.