Perforce Public Knowledge Base - Setting Up Perforce Using Firewalls
Reset Search



Setting Up Perforce Using Firewalls

« Go Back



Instructions on setting up your client machine to connect to the Perforce server through a firewall.


Perforce clients communicate with a Perforce Server using TCP/IP. The server listens for connections at a specific port on the machine it is running on, and clients make connections to that port.

The port number the server listens on is specified when it is run; in the following example the port is 3710. The number is arbitrary, except that it must be chosen to not conflict with any other networking services. The port number used on the client machine is dynamically allocated.

The network without a firewall

A firewall is a network element which prevents any packets from outside the local, trusted network from reaching the local network. This is done at a low level in the network protocol - specifically, any packets not coming from a trusted IP address are simply ignored.

In the following scenario, the Perforce client is unable to connect to the server because it is from an untrusted part of the network and none of its connection requests reach the machine the server is running on.

The network blocking Perforce with a firewall

The only solution is to establish a connection to the Perforce Server from the untrusted network through the trusted network. This can be done securely using a secure shell (ssh). Many secure shell implementations exist (but they are not distributed with or by Perforce). Mac OS X and most current Unix distributions have some form of ssh. Windows users might consider installing Cygwin and OpenSSH.

ssh is meant to be a replacement for rsh (remote shell), which means it allows you to log into a remote system and execute commands as if you were locally controlling the machine. The connection is encrypted, so none of the data is visible to the Untrusted Network. With simple utilities such as rsh, even your password as you type it is visible; not so with ssh.

So, one solution is to use ssh to log into the firewall machine and run the Perforce client there. That is not the optimal solution, however; typically you want your client files right on your local machine.

The best solution takes advantage of ssh's ability to forward arbitrary TCP/IP connections. The Perforce client can appear to be connecting from the firewall machine over the local, trusted network; the link between the firewall machine and the machine running the client is passed through the secure channel set up by ssh.

The network with Perforce tunneled through the firewall

Suppose the Perforce Server is on the machine "" and the firewall machine is called "". Choose 4242 for the local port, and note that the Perforce server is listening on port 3710. The ssh invocation to forward the TCP/IP connection is:

ssh -f -N -q -L
  • -f tells ssh to go into the background (daemonize).
  • -N tells ssh that you don't want to run a remote command. That is, you only want to forward ports.
  • -q tells ssh to be quiet
  • -L specifies the port forwarding <local_port>:<remote_host>:<remote_port>

In most circumstances, you will need to provide a password in order to login to "". Once the connection is established, ssh listens at port 4242 on the local machine and forwards the connection to "" and then, by way of the secure internal network, to port 3710 on "".

Configure your Perforce client to use port 4242 by setting the environment variable P4PORT to 4242. This means you are trying to connect to a server running on your local machine listening at port 4242, but now it is not a Perforce Server listening, it is ssh; data sent over this port is then transparently forwarded to the Perforce Server at "".


With a port (4242 in this example) on the local machine now forwarded to a secure server, it is prudent to be certain the local machine is secure! To do this, check your ssh client documentation to determine whether it accepts only local connections, or if it can be configured to prevent remote connections that can compromise your security.

It is possible to specify that the local end of the ssh tunnel use a specific ip address. For example:

ssh -f -N -q -L


Related Links
Configuring SSH on Mac OS X (External Site)
Cygwin Web Site (External Site)
OpenSSH for Windows (External Site)
Sun Article on SSH Tunnelling (External Site, has a good example using Perforce)



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255