By default, opening SSH access also allows forwarding of any ports, circumventing any firewalls between Grand the database host that is terminating the SSH tunnel. For better security, limit port forwarding and the ability to log in to your tunnel server. This can be controlled by properly configuring the ~/.ssh/authorized_keys entry for your account's public key.