SonicOS 7.1 DPI-SSH

Configuring DPI-SSH > Managing DPI-SSH > DPI-SSH Blocking of Port Forwarding
Table of Contents

DPI-SSH Blocking of Port Forwarding

SSH makes it possible to tunnel other applications through SSH by using port forwarding. Port forwarding allows local or remote computers (for example, computers on the internet) to connect to a specific computer or service within a private LAN. Port forwarding translates the address and/or port number of a packet to a new destination address and forwards it to that destination according the routing rules. Because these packets have new destination and port numbers, they can bypass the firewall security policies.

To prevent circumvention of the application-based security policies on the SonicWall network security appliance, SonicOS supports blocking SSH port forwarding for both Local and Remote port forwarding.

  • Local port forwarding allows a computer on the local network to connect to another server, which might be an external server.
  • Dynamic port forwarding allows you to configure one local port for tunneling data to all remote destinations. This can be considered as a special case of Local port forwarding.
  • Remote port forwarding allows a remote host to connect to an internal server.

SSH port forwarding supports the following servers:

  • SSH server on Fedora
  • SSH server on Ubuntu

SSH port forwarding supports both:

  • Route mode
  • Wire mode – only supported in Secure Mode

SSH port forwarding supports a maximum of 1000 connections, matching the maximum supported by DPI-SSH.

DPI-SSH must be enabled for blocking of SSH port forwarding to work. If any local or remote port forwarding requests are made when the blocking feature is enabled, SonicOS blocks those requests and resets the connection.

To enable blocking of SSH port forwarding

  1. Navigate to the POLICY | DPI-SSH > Settings page.

  2. In the General Settings section, select Block Port Forwarding.
  3. Select either or both Local Port Forwarding and Remote Port Forwarding to block that type of port forwarding.
  4. Click Accept.

DPI-SSH port forwarding supports the following clients:

  • SSH client for Cygwin
  • Putty
  • SecureCRT
  • SSH on Ubuntu
  • SSH on CentOS