Configuring Port-Forwarding Filters

SecureCRT


SecureCRT port-forwarding filters let you allow or deny connections from specific IP address or range of subnets. The filter configuration is stored in the session initialization file (<session name>.ini) in the SecureCRT Config/Sessions folder.

Port-forwarding filters are defined in a list and applied from the first to last. When an application makes a port-forward connection via SecureCRT, the IP address of the application's machine is checked against the filter list. SecureCRT compares the address with the first filter entry and then goes through the list to the last filter entry. When an address meets the criteria of a filter entry, that filter is applied and the rest of the list is ignored. An empty list will deny all port-forwarding connections.

The filter syntax is as follows:

"Port Forward Filter"=[access,host] [access,host] [...]

In the above syntax, the argument values are as follows:

access - allow or deny

host - IP address or a range of subnets

The default settings for the port-forward filter is as follows:

S:"Port Forward Filter"=allow,127.0.0.1,0 deny,0.0.0.0/0.0.0.0,0

This setting allows connections from localhost, but denies connections from any other machine.

Reverse Port Forwarding

SecureCRT also supports reverse port forwarding.

The filter syntax is as follows:

"Reverse Forward Filter"=[access,host] [access,host] [...]

In the above syntax, the argument values are as follows:

access - allow or deny

host - IP address or a range of subnets

The default settings for the port-forward filter is as follows:

S:"Reverse Forward Filter"=allow,127.0.0.1,0 deny,0.0.0.0/0.0.0.0,0

This setting allows connections from localhost, but denies connections from any other machine.

Example Filters

The following is an example of a port-forward filter list that allows connections from the specified machines (Alice's cable modem at 129.24.32.16 and Bob's DSL subnet at 198.129.241.85/255.255.255.128,0) but denies access from other machines:

S:"Port Forward Filter"=allow,129.24.32.16,0 allow,198.129.241.85/255.255.255.128,0 deny,0.0.0.0/0.0.0.0,0

This example list will allow all connections:

S:"Port Forward Filter"=allow,0.0.0.0/0.0.0.0,0

Or, for IPv6:

S:"Port Forward Filter"=allow,::/0,0

And this example list will allow everything in a local reserved class C network and any localhost loopback adapter (e.g., 127.0.0.2, 127.0.0.3, etc.), and deny everything else:

S:"Port Forward Filter"=allow,192.168.0.0/255.255.255.0,0 allow,127.0.0.0/255.255.255.0,0 deny,0.0.0.0/0.0.0.0,0

An example of a more common filter would be the following, which allows local host on 127.0.0.1,0, allows any host on local 192.168.0.0 network, and denies everything else:

S:"Port Forward Filter"=allow,127.0.0.1,0 allow,192.168.0.0/255.255.255.0,0 deny,0.0.0.0/0.0.0.0,0

The following is an example of a port-forward filter list that allows specific IPv6 connections:

S:"Port Forward Filter"=allow,::ffff:198.129.241.85/128,0

For reverse port forwarding, the syntax is similar.  For example, this example list will allow everything in a local reserved class C network and any localhost loopback adapter (e.g., 127.0.0.2, 127.0.0.3, etc.), and deny everything else:

S:"Reverse Forward Filter"=allow,192.168.0.0/255.255.255.0,0 allow,127.0.0.0/255.255.255.0,0 deny,0.0.0.0/0.0.0.0,0