ThinLinc relies on SSH port forwarding in order to function. However it is possible to limit that port forwarding in order to avoid unwanted network access. ThinLinc only requires forwarding via the loopback interface, so the SSH server can always be configured to only allow this without limiting ThinLinc in any way. For OpenSSH this is configured by specifying the following in sshd_config:
GatewayPorts no PermitOpen 127.0.0.1:*
Note that it is also necessary to disable shell access in order to completely prevent users from forwarding ports as otherwise they could run their own forwarding software over the shell channel.
It is possible to use ThinLinc with remote port forwarding completely disabled. However this will prevent local devices such as sound, drives and printers from functioning. In OpenSSH this is configured by adding the following to /etc/ssh/sshd_config:
AllowTcpForwarding local
It is also possible to apply this restriction only to a subset of users by using the Match setting. Please see OpenSSH's documentation for how to configure this mechanism.
Local port forwarding cannot be disabled as it is required for even the basic ThinLinc functionality.