At several points in this chapter, we have talked about security issues and limitations of forwarding. So far, we’ve seen very little control over who can connect to a forwarded port. The OpenSSH default is to allow connections only from the local host, which is reasonably secure for a single-user machine. But if you need to allow connections from elsewhere, you have a problem, since it’s all or nothing: to allow connections from elsewhere (using -g or GatewayPorts yes), you must allow them from anywhere. And with Tectia it’s worse: forwarded ports always accept connections from anywhere. X forwarding is in a slightly better position, since the X protocol has its own authentication, but you might still prefer to restrict access, preventing intruders from exploiting an unknown security flaw or performing a denial-of-service attack. SSH on the Unix platform provides an optional feature for access control based on the client address, called “TCP-wrappers.”

The term “TCP-wrappers” refers to software written by Wietse Venema. If it isn’t already installed in your Unix distribution, you can get it at:

TCP-wrappers are a global access control mechanism that integrates with other TCP-based servers, such as sshd or telnetd. Access control is based on the source address of incoming TCP connections. That is, a TCP-wrapper permits or denies connections based on their origin, as specified in the configuration ...