Ssh port forwarding?

[fzyzcjy]

Hi thanks for the project! I wonder whether ssh port forwarding is supported? For example, suppose there is an application in the private network using port 1234, and I want to communicate with that port directly at my local development machine. If the bastion is a normal server, I can use ssh port forward like ssh the-bastion -L 1234:some-ip:1234 and happily access localhost:1234 in my development machine.

[speed47]

Hey @fzyzcjy , actually ssh port forwarding is explicitly disabled on the bastion, because it could be used as a way to bypass its logic entirely and punch a hole in the traceability feature.

For example you could redirect a remote ssh port to your own machine, through the bastion, then use this tunnel to access it remotely from your machine, without using the bastion logic anymore, and the bastion wouldn't be able to see anything.

Disabling port forwarding helps asserting that the accesses are exhaustively traced on your infrastructure (closes a possible loop-hole), and as traceability is one of the main missions of the bastion, that's why it has been done this way.

[fzyzcjy]

Hi thanks for your reply!

My use case is mainly accessing Kubernetes in my cluster from my own computer. So is this feasible using the bastion (without using port forwarding)?