Stuart Henderson wrote: > On 2009-08-21, Cian Brennan <[email protected]> wrote: >> Turn off ssh forwarding? set AllowTcpForwarding to no, in your sshd_config. > > you can do this in a Match section too if you need to allow it for > some users. > >> Of course, with a bit of effort and some netcat, the user will probably still >> be able to turn a normal connection into forwarding, but this should at least >> make it more difficult. > > PF lets you block/pass local connections by userid. It also lets > you write UID/PID to the logs if you want a record.
I see that both PF and SSHd allow for group level controls. Cool! That allow changes to apply to classes of users, perhaps making it easier to sort, manage, or scale: Match Group in sshd_conf(5)your and group <group> from pf.conf(5) However, it may be helpful to find out what kind of problem the user is trying to solve by forwarding. Regards, -Lars
