I have setup a second instance of the sshd service, that I want to use to allow remote tunnelling on.
I followed How to restrict an SSH user to only allow SSH-tunneling? - that showed me how to lock down to only allow remote or local tunnelling, but I'm concerned that someone could open a connection to do local forwarding to a port that I don't want publicly accessible.
They could also use it to hit services that would otherwise be restricted to local connections only, because the forwarding would make it seem that the connections are local (I believe).
