Bind port forwarding to privileged ports

The TCP/IP port numbers below 1024 are special in that normal users are not allowed to bind on them.

Remote Port Forwarding

The logged in user must be root, otherwise SSH server may refuse to bind to privileged ports.

Local / Dynamic Port Forwarding

Codinn SSH is fully compliant to App Sandbox, which protect you from malicious software, and keep your computer and your information safe.

As a result, SSH Tunnel and SSH Proxy could not bind to privileged ports directly, since this is forbidden by Sandboxing.

But we can easily accomplished with the aid of ipfw utility. We can set SSH Tunnel or SSH Proxy's dynamic port forwarding bind to, for example, 7070. And then let ipfw forward you desired privileged port, for example, 70 to 7070.

Here's the step:

1. Create Forwarding Rule

<code>sudo nano /etc/pf.anchors/ssh.tunnel.forwarding

Copy and paste following code into the file:

<code>rdr pass on lo0 inet proto tcp from any to 127.0.0.1 port 70 -> 127.0.0.1 port 7070

The code above forward all incoming tcp request to 127.0.0.1 port 70 to 127.0.0.1 port 7070.

2. Reference the rule in Port Forwarding config

The original for this reference is /etc/pf.conf

However, it's recommended to create new file because mac updates usually overwrite this file by default.

Create /etc/pf-sshtunnel.conf

sudo nano /etc/pf-sshtunnel.conf

Put these lines:

rdr-anchor "forwarding"
load anchor "forwarding" from "/etc/pf.anchors/ssh.tunnel.forwarding"

Note: put empty newline in the bottom of the file, or it won't work.

3. Apply the Rule

sudo pfctl -ef /etc/pf-sshtunnel.conf

4. Stop the port forwarding rules

Here's how to stop the port forwarding rules we have defined above.

sudo pfctl -d

To flush all NAT, filter, state, and table rules and reload the default /etc/pf.conf.

pfctl -F all -f /etc/pf.conf

5. Auto-apply the Rule

Auto enable by creating a launch daemon via this doc to run pfctl -ef /etc/pf-sshtunnel.conf on boot.

Still need help? Contact Us Contact Us