Port forwarding exposes services to the local network

[konradziczek]

Checklist

• Using latest version on the App Store
• Read the docs
• Searched for existing GitHub issues

Configuration

Blink v17.1.0.854
iPadOS 17.1.2
Device: iPad Air 5

Describe the bug

The ssh command does not support the full -L argument format.
Currently it is:
port:host:hostport
It should be:
[bind_address:]port:host:hostport

Port forwarding in Blink attaches to all local interfaces, which can be considered a security issue. I created a tunnel to a service on another server, and my iPad exposed that service on my home network. When I went to http://my_ipad_address:forwarded_port on my computer, I saw a forwarded service.

[carloscabanero]

Hi! I will see what we can do. The default according to ssh manual is to map it to all interfaces. I will see if at least we can do "localhost" only.

However, an explicit bind_address
             may be used to bind the connection to a specific address.
             The bind_address of “localhost” indicates that the
             listening port be bound for local use only, while an empty
             address or ‘*’ indicates that the port should be available
             from all interfaces.

[orazioedoardo]

Note that binding to the LAN IP isn't a way to prevent people to connect from outside the local network, if that's what you mean by security issue.

EDIT: oh you want locahost only, not lan, sorry.

[carloscabanero]

Fixed this and will be out on v17.2.0. I added the GatewayPorts (yes/no) flag, which is also available on clients and it seems to be the flag blocking the port from being forwarded everywhere. It works very well for our case because NWListener on iOS allows to specify the type of interface (not even the specific one or the address).

The documentation here is clear. On LocalForward in the manual:
"""
By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of ''localhost'' indicates that the listening port be bound for local use only, while an empty address or '*' indicates that the port should be available from all interfaces.
"""

But interestingly, on https://www.ssh.com/academy/ssh/tunneling-example, made the same mistake I made:
"""
By default, anyone (even on different machines) can connect to the specified port on the SSH client machine. However, this can be restricted to programs on the same host by supplying a bind address
"""

Because we cannot do bind_address, we limit now by interface and GatewayPorts is an all/nothing approach.

[carloscabanero]

Out on 17.2.0. Closing here.

[NN708]

Hello! I upgraded to the latest version, but I couldn't find the option for GatewayPorts in the configuration. Should I manually set GatewayPorts yes in the SSH config of each host?

[carloscabanero]

If want to set it as the default for all your hosts, you can define it in the global for .ssh/config:

Host *
   GatewayPorts yes

If you want to use it only for a host on specific tunnels, you can add it to the command. After doing -L port:<addr>:<port> add -o GatewayPorts=yes. And if you want to have it all the time for that Host, then add it to that Host configuration in the UI.

Any of them should do the trick.

[NN708]

@carloscabanero Thanks for your kind help!