VanDyke Software Forums

VanDyke Software Forums (https://forums.vandyke.com/index.php)
-   General (https://forums.vandyke.com/forumdisplay.php?f=11)
-   -   Ignored - Port Forward Filter - Version 8.7.3 (https://forums.vandyke.com/showthread.php?t=14278)

mr.dk 09-08-2020 04:50 PM

Ignored - Port Forward Filter - Version 8.7.3
 
Hello,

Not sure if I'm doing this correctly...
SecureCRT - Version 8.7.3 (x64 build 2279)


I'm trying to allow another guest to access the SecureCRT local port forwarding.

[PC (A) TELNET] -- > [PC (B) SecureCRT port 6200 ] -- > [Server Port 6200]

I have setup port forwarding from PC (B) to the server ... however from reading and testing i can see the listen port 127.0.0.1:6200. Reading I see that I will need to further modify <session>.ini and modify the following...

From:

S:"Port Forward Filter"=allow,127.0.0.1,0 deny,0.0.0.0,0
S:"Reverse Forward Filter"=allow,127.0.0.1,0 deny,0.0.0.0,0

To:

S:"Port Forward Filter"=allow,0.0.0.0/0.0.0.0,0 allow,192.168.100.155,6200
S:"Reverse Forward Filter"=allow,0.0.0.0/0.0.0.0,0 allow,192.168.100.155,6200

However testing ( and logging ) I can verify the port is only opened for listening on 127.0.0.1 and not 0.0.0.0 to allow for connections?

I also tested changing the 127.0.0.1,0 to 128.0.0.1,0 <- and the port remained open on 127.0.0.1 and did not move to 128.0.0.1 as expected. Thus from the data it seems this version of SecureCRT does not work as intended OR am I just missing configuration needed?


Working Log:
TELNET:
telnet 127.0.0.1 6200

Welcome to Microsoft Telnet Client Escape Character is 'CTRL+]'

SECURECRT
[LOCAL] : Starting port forward from 127.0.0.1 on local 127.0.0.1:6200 to remote wtllab-productlicense-1.phaedrus.sandvine.com:6200.
[LOCAL] : SEND[1]: Send SSH_MSG_CHANNEL_OPEN("direct-tcpip")
[LOCAL] : RECV[1]: SSH_MSG_CHANNEL_OPEN
[LOCAL] : SEND[1]: SSH_MSG_CHANNEL_EOF
[LOCAL] : SEND[1]: channel close
[LOCAL] : RECV[1]: channel close.
[LOCAL] : RECV[1]: SSH_MSG_CHANNEL_CLOSE, closing socket.


Non-Working Log:

TELNET:
telnet 192.168.100.155 6200
Connecting To 192.168.100.155...Could not open connection to the host, on port 6200: Connect failed

SECURECRT:

^^ Nothing



Hummm .... Any thoughts?

Thank you.
Mr.D

jjh 09-08-2020 06:24 PM

1 Attachment(s)
Hello mr.dk.

When you configure standard SSH2 port forwarding in your session, you are configuring SecureCRT to listen on the specified port and forward the traffic along through the SSH2 server that you are connected to, to the target machine.

So for example, if you are connected to a server named "Server1" with your SecureCRT session and the machine that uses port 6200 is on a machine named "Server2", you would connect to localhost on port 6200 and the traffic would be forwarded through Server1 and end up at server2.

The default port forward filter looks like the following, which would allow the traffic from the local loopback addresses in the 127.0.0.0 range:

S:"Port Forward Filter"=allow,127.0.0.0/255.0.0.0,0 deny,0.0.0.0/0.0.0.0,0

All other IP addresses would be denied.

I would expect that if you edited the port forward filter to look like the following, the IP address 192.168.100.155 would be allowed on all ports:

S:"Port Forward Filter"=allow,127.0.0.0/255.0.0.0,0 allow,192.168.100.155/255.255.255.255,0 deny,0.0.0.0/0.0.0.0,0

I would not recommend the change that you made to the reverse forward filter.

I would have expected the change that you made to be successful, but it seems too permissive. The "Allow" that you made for 192.168.100.155 would be redundant because you are already allowing connections from all IP addresses on all ports.

The other part of the problem you are experiencing is that SecureCRT is listening on the local loopback address only (IP address 127.0.0.1), which is only accessible to the local machine. You will need to change the port forward settings to listen on 0.0.0.0 (all IP addresses that belong to your machine, both the localhost IP addresses and the LAN private IP address), so that other machines on the network will have access to the port forward.

In the "Local" section of the "Local port forward properties" dialog you can enable the "Manually select local IP address on which to allow connections", then enter 0.0.0.0 as the IP address.

I have attached a screenshot of what I am referring to.

What does your port forward look like for the session?

Thank you.

JJH


All times are GMT -6. The time now is 12:09 PM.