Openssh Port Forwarding Confusion

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
First off, I would like to thank anyone that reads this; second, I
would like to thank doubly any one who responds to this - even if it
is a "Read the man page again dumbass!"

My confusion lies in the fact that I do not know too much a all about
ssh.  I am tring to use Openssh on cygwin (as my client) and have been
successfull in forwarding X11 from my server(for now also cygwin on a
different computer untill I am done playing with the config stuff and
set up the real one on my sun box).  I can run xclock! - I don't know
how I did it, but it work.  I think there was something weird with the
ssh config files oncygwin that required a reboot on behalf of
windows2k - but don't hold me to that. it didn't work yestarday, but
today when I started both computers it just work(with the same
configuration as I left in it yestarday).  I am going to re set this
up today, to find out where I was going wrong, but for now please know
that I have forwarded my X11 and my server client relation ship works.
Now for my Port forwarding question.  I have read every man page, and
every Howto I can get my hands on - they just end up confusing me. I
figured out that I am missing something very fundimental, but I don't
know what it is. So far what I have extracted about ssh port
forwarding is:
I can forward ports

My hypothetical situation is this:

(ssh client) <--> (Proxy/firewall)<--internet-->(Home Nat)<-->(ssh

what needs to be done to the server and the client if the only ports
that are open are port 80 on "(Proxy/firewall)" and port 5865 on
"(Home Nat)"  ?
I am only guessing that this can be done - I don't think that I
understand this process yet to say for sure.

If you do answer I need to ask one more thing:
Please do not use the words "Host" or "localhost" unless you specify
(very explicitly) which computer you are talking about. This can be
very confusing if your point of view is from the server or from the

I do not need a "Howto" but you are welcome to give one, I just need
to understand this process better.

Thank you all for your time, and I apolgize for any spelling mistakes.

Re: Openssh Port Forwarding Confusion

Quoted text here. Click to load it

As far as SSH is concerned, at the simplest level there are 2 types of
port forwarding:

* Local forwarding: You connect to a port on the SSH client.  The data
  is sent over the SSH data stream to the server, sshd makes a
  connection the target of the forward (which may or may not be on
  the SSH server itself).

* Remote forwarding: You connect to a port on the SSH server.  The
  data is sent over the SSH data stream to the client, which connects
  to the target of the forward (which, again, may or may not be on the
  client itself).

To use a forward, you configure whatever software you want to tunnel
the traffic of to use "localhost" or "" [1] as the address
to connect to.  Your software connects to the port that ssh or sshd
is listening to, which then forwards the data over the SSH connection
where at the other end the SSH software connects to the target of the
forward on your behalf.

Now, adding to this, there are some special cases:

* X11 Forwarding:  A special case of Remote forwarding where the port
is 6000 + N, the $DISPLAY environment variable is set to something like
localhost:N.0 [3] and xauth is used to restrict access to this pseudo-
display managed by ssh.  When an X client runs, it connects to the
port specified by $DISPLAY and the connection is sent back through
the SSH channel and to the X Server (which, confusingly, is running on
the SSH client in this case).

* Dynamic Forwarding.  A special case of Local forwarding where instead
of connecting to a fixed port on the SSH client to be forwarded via
the SSH channel, the SOCKS protocol is used to determine which host
and port the forwarded connection is destined for.  In this case, the
SSH *client* is behaving as a SOCKS *server*.

Hopefully this helps.  I glossed over some details and it's still longer
than I thought it would be (perhaps a candidate for an FAQ entry?)


[1] Most of the time, the ports that are forwarded are listening only
on the loopback interface (ie and thus only processes on the
forwarding machine may use the forward.  This can be overridden and
a bound to all addresses (for OpenSSH, this is the GatewayPorts [2]
directive, most SSH software has something similar).

[2] Whether or not you can specify GatewayPorts on a remote port
forward varies with the software and server settings.

[3] Actually on OpenSSH this varies with the setting of X11UseLocalhost.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Openssh Port Forwarding Confusion

Thank you for taking the time to explane that.  I think I have the Idea now.

Site Timeline