Bind port forwarding to privileged ports
The TCP/IP port numbers below 1024 are special in that normal users are not allowed to bind on them.
Remote Port Forwarding
The logged in user must be root, otherwise SSH server may refuse to bind to privileged ports.
Local / Dynamic Port Forwarding
Codinn SSH is fully compliant to App Sandbox, which protect you from malicious software, and keep your computer and your information safe.
As a result, SSH Tunnel and SSH Proxy could not bind to privileged ports directly, since this is forbidden by Sandboxing.
But we can easily accomplished with the aid of ipfw utility. We can set SSH Tunnel or SSH Proxy's dynamic port forwarding bind to, for example, 7070. And then let ipfw forward you desired privileged port, for example, 70 to 7070.
Here's the step:
1. Create Forwarding Rule
<code>sudo nano /etc/pf.anchors/ssh.tunnel.forwarding
Copy and paste following code into the file:
<code>rdr pass on lo0 inet proto tcp from any to 127.0.0.1 port 70 -> 127.0.0.1 port 7070
The code above forward all incoming tcp request to 127.0.0.1 port 70 to 127.0.0.1 port 7070.
2. Reference the rule in Port Forwarding config
The original for this reference is /etc/pf.conf
However, it's recommended to create new file because mac updates usually overwrite this file by default.
sudo nano /etc/pf-sshtunnel.conf
Put these lines:
rdr-anchor "forwarding" load anchor "forwarding" from "/etc/pf.anchors/ssh.tunnel.forwarding"
Note: put empty newline in the bottom of the file, or it won't work.
3. Apply the Rule
sudo pfctl -ef /etc/pf-sshtunnel.conf
4. Stop the port forwarding rules
Here's how to stop the port forwarding rules we have defined above.
sudo pfctl -d
To flush all NAT, filter, state, and table rules and reload the default /etc/pf.conf.
pfctl -F all -f /etc/pf.conf
5. Auto-apply the Rule
Auto enable by creating a launch daemon via
this doc to run
pfctl -ef /etc/pf-sshtunnel.conf on boot.