Something that has come up recently is a requirement for an SSM-connected Bastion instance to be policed as to what target addresses it should be allowed to port-forward to.
While investigating this I found the Mgs.DeniedPortForwardingRemoteIPs list in the configuration file, and saw how it was being used in the port plugin logic.
Although this gives you the ability to forbid IP addresses from port-forwarding, it only allows you to specify those as individual addresses. The use-case I am working with currently is that targets should be possible to be disallowed across a range of IP addresses described by a CIDR.
This looked to be easy to add and I have prepared a commit in a forked repository which I will attach here for feedback.
Something that has come up recently is a requirement for an SSM-connected Bastion instance to be policed as to what target addresses it should be allowed to port-forward to.
While investigating this I found the
Mgs.DeniedPortForwardingRemoteIPs
list in the configuration file, and saw how it was being used in the port plugin logic.Although this gives you the ability to forbid IP addresses from port-forwarding, it only allows you to specify those as individual addresses. The use-case I am working with currently is that targets should be possible to be disallowed across a range of IP addresses described by a CIDR.
This looked to be easy to add and I have prepared a commit in a forked repository which I will attach here for feedback.