f



Question concerning remote port-forwarding with SSH

I have difficulties to find out when I should use SSH remote port-forwarding e.g.

ssh sshserver -R 7777:localhost:110

Notice the -R and instead of -L

This would cause a data traffic (with the syntax: in-port:machine:out-port):

MailClient(on remote):* -> 7777:SSHServer:* -> 22:SSHClient(on localhost):* -> 110:MailServer(on localhost)

Are the following statement correct:

- Use remote port-forwarding (-R) when the connection between SSH-Server 
  and ApplicationServer (e.g.MailServer) should be encrypted 
- Use "normal" port-forwarding (-L) when the connection between ApplicationClient 
  (e.g.MailClient) and SSH-Server should be crypted
- Use remote port-forwarding (-R) when the SSHClient is on the machine 
  where the ApplicationServer (e.g.MailServer) is located
- Use "normal" port-forwarding (-L) when the SSHClient is on the machine 
  where the ApplicationClient (e.g. MailClient) is located

Peter

0
pmeister2 (12)
7/7/2005 12:59:24 PM
comp.security.misc 4155 articles. 0 followers. Post Follow

5 Replies
384 Views

Similar Articles

[PageSpeed] 16

On 2005-07-07, Peter Meister <pmeister2@lycos.com> wrote:
> I have difficulties to find out when I should use SSH remote
> port-forwarding e.g.
>
> ssh sshserver -R 7777:localhost:110
>
> Notice the -R and instead of -L
>
> This would cause a data traffic (with the syntax: in-port:machine:out-port):
>
> MailClient(on remote):* -> 7777:SSHServer:* -> 22:SSHClient(on
> localhost):* -> 110:MailServer(on localhost)
>
> Are the following statement correct:
>
> - Use remote port-forwarding (-R) when the connection between SSH-Server 
>   and ApplicationServer (e.g.MailServer) should be encrypted 
> - Use "normal" port-forwarding (-L) when the connection between
>   ApplicationClient (e.g.MailClient) and SSH-Server should be crypted
> - Use remote port-forwarding (-R) when the SSHClient is on the machine 
>   where the ApplicationServer (e.g.MailServer) is located
> - Use "normal" port-forwarding (-L) when the SSHClient is on the machine 
>   where the ApplicationClient (e.g. MailClient) is located

Yes, all of these are true.

The "local" and "remote" concepts are relative to the SSH client (since
they are the client's command-line options".

Think of it this way: for your application client, if it needs to run on
the local host, use local port forwarding and if it needs to run on the
remote host (ie the SSH server) then use remote forwarding.

The TCP connection for the SSH connection is always from SSH client to
SSH server, however the data flows inside this SSH connection can be
initiated in either direction, depending on whether or not you specify
local or remote forwarding.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
0
dtucker2 (224)
7/7/2005 2:06:11 PM
Peter Meister wrote:
> I have difficulties to find out when I should use SSH remote port-forwarding e.g.
> 
> ssh sshserver -R 7777:localhost:110
> 
> Notice the -R and instead of -L
> 
> This would cause a data traffic (with the syntax: in-port:machine:out-port):
> 
> MailClient(on remote):* -> 7777:SSHServer:* -> 22:SSHClient(on localhost):* -> 110:MailServer(on localhost)
> 
> Are the following statement correct:
> 
> - Use remote port-forwarding (-R) when the connection between SSH-Server 
>   and ApplicationServer (e.g.MailServer) should be encrypted 
> - Use "normal" port-forwarding (-L) when the connection between ApplicationClient 
>   (e.g.MailClient) and SSH-Server should be crypted
> - Use remote port-forwarding (-R) when the SSHClient is on the machine 
>   where the ApplicationServer (e.g.MailServer) is located
> - Use "normal" port-forwarding (-L) when the SSHClient is on the machine 
>   where the ApplicationClient (e.g. MailClient) is located
> 
> Peter
> 

Hmmm... complicated...  -R is often used to create an open port
forward on a remote host.  For example... a box in the DMZ.  It's
vicious and a great way to get around your company's security :-)

Let's say I have an interior host (my desktop) and a perimeter
host in a DMZ (or simply somewhere were a machine CANNOT initiate
a connection into the interior directly.. emphasis on directly...
since we're about to thwart that).  Ssh -R will allow me to
initiate from my desktop effectively a port forwarding
tunnel on a remote host (in this case, a host on the
perimeter/DMZ) that tunnels back to my desktop.  Thus you can
create what amounts to a tunnel into your interior from the DMZ
or other network (something normally NOT allowed possibly).

So much for security eh?

IMHO, that's what -R is for.  The good news is that remote
listening of that remote port is usually disabled (listens
only to localhost) by the default configuration of sshd.  When
enabled... look out!!  Deliciously vicious and so easy to do!

Use -L when you need to create a port forward from your
machine port to a remote machine port.

Use -R when you need to create a remote port forward to your
machine port and cannot use -L from the remote host :)
Thus your machine initiates the connection, yet it's as if
you were on the remote host setting up a port forward via
-L.

Permutationsa abound... remember as long as the ssh host
your are communicating with can get to the host you are
targeting for a port forward (or whatever), you now have
a means of getting there... it can get really complicated.
Ssh ecrypts data... great!  It's also a knife that can rip
your security policies to shreds!!  Have fun!


0
7/7/2005 11:26:47 PM
Peter Meister wrote:
> I have difficulties to find out when I should use SSH remote port-forwarding e.g.
> 
> ssh sshserver -R 7777:localhost:110
> 
> Notice the -R and instead of -L
> 
> This would cause a data traffic (with the syntax: in-port:machine:out-port):
> 
> MailClient(on remote):* -> 7777:SSHServer:* -> 22:SSHClient(on localhost):* -> 110:MailServer(on localhost)
> 
> Are the following statement correct:
> 
> - Use remote port-forwarding (-R) when the connection between SSH-Server 
>   and ApplicationServer (e.g.MailServer) should be encrypted 
> - Use "normal" port-forwarding (-L) when the connection between ApplicationClient 
>   (e.g.MailClient) and SSH-Server should be crypted
> - Use remote port-forwarding (-R) when the SSHClient is on the machine 
>   where the ApplicationServer (e.g.MailServer) is located
> - Use "normal" port-forwarding (-L) when the SSHClient is on the machine 
>   where the ApplicationClient (e.g. MailClient) is located
> 
> Peter

None of the above.

SSH encrypts every time - whether -L or -R or neither are used.

-L isnt mnemonic for "normal" but "local".


If I log in to CLIENT host and then run ...

	ssh -L 7777:localhost:110 SERVER

Then SSH creates a new port nunber 7777 on the CLIENT. If I connect to 
localhost:7777 from the client, then I an actually talking to SERVER:110.

But if I had run

	ssh -R 7777:localhost:110 SERVER

Then SSH creates the new port number 7777 on the SERVER (not the 
client). Now if I log into the SERVER and connect to it's port 7777, I 
wind up talking to port 110 on the CLIENT.

So.. -L creates a local port that allows me to access a remote service.
      -R makes a local service available to the remote machine on a port 
that "looks" local to the remote system.

Confusing, I know - but I hope that helps to clarify things.

Chris
--
http://www.lowth.com/rope - Identify and control complex protocols with
                             Linux, IpTables and Rope.
0
7/11/2005 9:47:55 PM
Peter Meister wrote:
> I have difficulties to find out when I should use SSH remote port-forwarding e.g.
> 
> ssh sshserver -R 7777:localhost:110
> 
> Notice the -R and instead of -L
> 
> This would cause a data traffic (with the syntax: in-port:machine:out-port):
> 
> MailClient(on remote):* -> 7777:SSHServer:* -> 22:SSHClient(on localhost):* -> 110:MailServer(on localhost)
> 
> Are the following statement correct:
> 
> - Use remote port-forwarding (-R) when the connection between SSH-Server 
>   and ApplicationServer (e.g.MailServer) should be encrypted 
> - Use "normal" port-forwarding (-L) when the connection between ApplicationClient 
>   (e.g.MailClient) and SSH-Server should be crypted
> - Use remote port-forwarding (-R) when the SSHClient is on the machine 
>   where the ApplicationServer (e.g.MailServer) is located
> - Use "normal" port-forwarding (-L) when the SSHClient is on the machine 
>   where the ApplicationClient (e.g. MailClient) is located
> 
> Peter

None of the above.

SSH encrypts every time - whether -L or -R or neither are used.

-L isnt mnemonic for "normal" but "local".


If I log in to CLIENT host and then run ...

	ssh -L 7777:localhost:110 SERVER

Then SSH creates a new port nunber 7777 on the CLIENT. If I connect to 
localhost:7777 from the client, then I an actually talking to SERVER:110.

But if I had run

	ssh -R 7777:localhost:110 SERVER

Then SSH creates the new port number 7777 on the SERVER (not the 
client). Now if I log into the SERVER and connect to it's port 7777, I 
wind up talking to port 110 on the CLIENT.

So.. -L creates a local port that allows me to access a remote service.
      -R makes a local service available to the remote machine on a port 
that "looks" local to the remote system.

Confusing, I know - but I hope that helps to clarify things.

Chris
--
http://www.lowth.com/rope - Identify and control complex protocols with
                             Linux, IpTables and Rope.
0
7/11/2005 9:48:09 PM
This is one of the nicest explanations I could find on -L and -R
Thanks a lot.
Payal

Chris Lowth wrote:
> Peter Meister wrote:
> > I have difficulties to find out when I should use SSH remote port-forwarding e.g.
> >
> > ssh sshserver -R 7777:localhost:110
> >
> > Notice the -R and instead of -L
> >
> > This would cause a data traffic (with the syntax: in-port:machine:out-port):
> >
> > MailClient(on remote):* -> 7777:SSHServer:* -> 22:SSHClient(on localhost):* -> 110:MailServer(on localhost)
> >
> > Are the following statement correct:
> >
> > - Use remote port-forwarding (-R) when the connection between SSH-Server
> >   and ApplicationServer (e.g.MailServer) should be encrypted
> > - Use "normal" port-forwarding (-L) when the connection between ApplicationClient
> >   (e.g.MailClient) and SSH-Server should be crypted
> > - Use remote port-forwarding (-R) when the SSHClient is on the machine
> >   where the ApplicationServer (e.g.MailServer) is located
> > - Use "normal" port-forwarding (-L) when the SSHClient is on the machine
> >   where the ApplicationClient (e.g. MailClient) is located
> >
> > Peter
>
> None of the above.
>
> SSH encrypts every time - whether -L or -R or neither are used.
>
> -L isnt mnemonic for "normal" but "local".
>
>
> If I log in to CLIENT host and then run ...
>
> 	ssh -L 7777:localhost:110 SERVER
>
> Then SSH creates a new port nunber 7777 on the CLIENT. If I connect to
> localhost:7777 from the client, then I an actually talking to SERVER:110.
>
> But if I had run
>
> 	ssh -R 7777:localhost:110 SERVER
>
> Then SSH creates the new port number 7777 on the SERVER (not the
> client). Now if I log into the SERVER and connect to it's port 7777, I
> wind up talking to port 110 on the CLIENT.
>
> So.. -L creates a local port that allows me to access a remote service.
>       -R makes a local service available to the remote machine on a port
> that "looks" local to the remote system.
>
> Confusing, I know - but I hope that helps to clarify things.
>
> Chris
> --
> http://www.lowth.com/rope - Identify and control complex protocols with
>                              Linux, IpTables and Rope.

0
7/14/2005 6:24:07 PM
Reply:

Similar Artilces:

I have a question about Remote port forwarding in SSH
Hi, I am trying do remote port forwarding in SSH and make the forwarded port available over a network. One machine, S, is behind a firewall and I can ssh out, but not ssh in. I can connect using a VPN which only works with Windoze. The other machine, H, is behind a different firewall, and it can SSH in or out. So I what I do is connect to the machine S from the machine H and then give the command: user@S$ ssh -R22222:localhost:22 H Then, on the machine H, I give the command user@H$ ssh -p 22222 localhost and I am connected. Using public key authentication, I don't need to provide a passphrase, unless I want to. Now, here is the problem. I have a machine, H2, which is on the same (private) LAN as H, and I would like to be able to do something like user@H2$ ssh -p 22222 H but that doesn't work. I have tried using the -g switch on the first ssh command, but no joy. Anybody have any suggestions? Incidentally, this construct is a covert channel, so it's probably wise not to get caught doing that. Jeff On Tue, 06 Sep 2005 23:23:57 -0700, Jeff Silverman wrote: > Jeff Hey, that's my name! Sorry no help for your question, though. -- JDS | jeffrey@example.invalid | http://www.newtnotes.com DJMBS | http://newtnotes.com/doctor-jeff-master-brainsurgeon/ ...

To Port Forward or Not To Port Forward
System: DP MDD G4, OS 10.4.9 Inet connection: DSL with static i.p.,Broadcom Gateway to Linksys WRT54G Wireless Router using DHCP, 1 computer connected via enet, 3 connected wirelessly, basic home use only Wireless security is very basic: Unique router name and pw, SSID disabled, and connections allowed by MAC addresses only, Linksys firewall is enabled with all the other features set to their defaults, Mac OS firewall is disabled I recently purchased a Logitec QuickCam Pro 5000 webcam that works just fine with iChat right out of the box. Learning how to use it I found some Apple docs and ot...

ssh remote port forwarding
Hello experts, I have a little problem using ssh and remote port forwarding. Here is the problem: I have one machine (A) behind a nat firewall that I'd like to be able to access from the outside via ssh. Unfortunately I have no control over the router, so no DMZing it. So I was thinking of sshing from machine A behind the firewall to a machine outside the nat (machine B) and using reverse port forwarding on that machine. Then I could ssh to machine B and that would then forward the connection to A. so far I run this on A: sudo ssh -g -N -R 2222:127.0.0.1:22 machineBusername@machineB.something then running the following in the outside world: ssh -p 2222 machineAusername@machineB.something yields a time out. I'm a bit confused on how to get this to work. Is what I want to do pricipally possible and if so, what can I do to make it work? Regards, Sven. -- s v e n (dot) d (dot) m e i e r (at) g m x (dot) n e t In article <e0s4cl$dua$1@dennis.cc.strath.ac.uk> Sven <no@spam.com> writes: > >I have a little problem using ssh and remote port forwarding. Here is >the problem: I have one machine (A) behind a nat firewall that I'd like >to be able to access from the outside via ssh. Unfortunately I have no >control over the router, so no DMZing it. > >So I was thinking of sshing from machine A behind the firewall to a >machine outside the nat (machine B) and using reverse ...

SSH Port Forwarding Question
I am having a problem using OpenSSH_3.8.1p1 Debian 1:3.8.1p1-4, OpenSSL 0.9.7d on the client and OpenSSH_3.7p1 for Solaris 7 on the server. I have port forwarded the default Oracle port from my local machine through a bastion host to my Oracle machine like so: ssh -L 1521:oracle_box:1521 username@bastion And all works fine at first. I am doing some load testing on an application and am trying to see how many instances I can run at one time. Each instance of the application initiates its own connection to the Oracle database through the SSH tunnel. This works great until I get to 25 hosts and then I start seeing this error on the console of the bastion host where I have ssh'd to: channel 53: open failed: administratively prohibited: open failed It appears there is some sort of hard limit that I have reached and I am wondering if this is something I can change on the client side, the server side, or whether it is hardcoded into either the server or client and I'm out of luck. I do not have the luxury of simply selecting another local port to forward because of the way the application is configured so I'd really like to be able to get at least 100 connections through per tunnel. I have tried this on 3 different Linux boxes, all with the same result. The per-process limit on concurrent open file descriptors for sshd on the server is probably set to 64; try increasing it. -- Richard Silverman res@qoxp.net ...

remote/reverse port forward, ssh client setting source IPs to what ssh server reports
Note: most of this post is based on OpenSSH When I do a remote forward (port on server listens for incoming traffic, traffic gets forwarded to port that is listening on client), the source IPs of all the incoming connections in the server app on the client machine are 127.0.0.1/localhost. Using "-v", I can see that sshd passes the IP addresses of what computers connected to the sshd's port that forwards to the client. The client does not use/set the originating information when connect. RFC 4254 requires the server send the originating IP across the wire to the client. ------------------------------------------------------------------------------------------------------------------------- 7.2. TCP/IP Forwarding Channels When a connection comes to a port for which remote forwarding has been requested, a channel is opened to forward the port to the other side. byte SSH_MSG_CHANNEL_OPEN string "forwarded-tcpip" uint32 sender channel uint32 initial window size uint32 maximum packet size string address that was connected uint32 port that was connected ###string originator IP address########################################### uint32 originator port -------------------------------------------------------------------------------------------------------------------------- The 'originator IP address' is the numeric IP address of the machine from where the conn...

ssh port forwarding questions
Folks, I am trying to setup X11 base working environment on my macbook (at home). What I am trying to do is to login to my work unix machine, run commands, bring up GUI's (on my macbook). I was told that SSH port forwarding is best for this. (I am unix VNC, and it works great, but problem is I end up using mouse lot; cant' easily switch between windows on KDE..and on mac I can use all shortcuts to navigate faster). So here is what I have: work machine: name.company.com (I use hostname to find out; not sure how to get ip or full name, I am just assuming that domain is comp...

SSH Port Forwarding Question #2
I would like to create a large amount of local port forward ports to another host. When setting them up on 1 putty session I get an error at about the 42nd tunnel port that I have too many. This is before I even try to connect to the server. Due to new policies I need to set up tunnel sessions through 1 gateway to up to 312 different ip/ports on the other side. NOT at one time though. I want my users to be able to ssh 1 time to the gateway and use a Procomm Directory to telnet to a max of 25 sessions at one time. But these 25 sessions could be any combination of the 312 available sessions. Is there any way to increase the available local port fwd sessions on one Putty session? Can you point me to any documentation to allow me to increase this limit? Is there another alternative? Example use SSH from windows to UNIX gateway On windows computer telnet to localhost 13000 - 13499 individually up to 25 consecutive. Putty sets tunnel L13000=192.x.x.001:23 - L13499=10.x.x.250:23 each local port being a separate server that can only be accessed from the unix gateway. "csharpe3@gmail.com" <csharpe3@gmail.com> writes: > I would like to create a large amount of local port forward ports to > another host. When setting them up on 1 putty session I get an error > at about the 42nd tunnel port that I have too many. > > This is before I even try to connect to the server. > > Due to new policies I need to set up tunnel sessions through...

FTP port forwarding in SSH.. Secure??
I was trying the "FTP Port Forwarding" to secure the FTP transfer). I really like it, but I have a question: On the unix manual pages (man ssh2), the description of the "-L" option indicates that part of the connection is not secure when you use FTP Port Forwarding, could someone please explain me what part is not secure? Is it referring to the FTP data which is non-encrypted inside the tunnel? Below is text from manual page for F-Secure SSH2 SSH2 SSH2(1) NAME ssh2 - secure shell client (remote login program) .... ... -L [protocol/][localhost:]port:host:hostport or -L socks/[localhost:]port The given port on the local (client) host is forwarded to the given host and port on the remote side. This allocates a listener port port on the local side. Whenever a connection is made to this listener, the connection is forwarded over the secure channel and a connection is made to host:hostport from the remote machine (this latter connection will not be secure, it <----- why not secure? is a normal TCP connection). Port forwarding can also be specified in the configuration file. ...

What is the difference between local port forwarding (-L) and remote port forwarding (-R)
Hi! I need to do an SSH tunnel to encrypt the data sent between an agent and a the server. I'm able to establish a tunnel but there's something that I can't understand... What is the difference between the bit -L and the bit -R. I've read the man of SSH on Fedora. It's seems to be simple but in practice, I don't understand. Can somebody help me on this subject? Thanks a lot! Yann > What is the difference between the bit -L and the bit -R. -L forwards a port from the client to the server. -R forwards a port from the server to the client. -- To reply by email, replace "deadspam.com" by "alumni.utexas.net" In article <d73d6e32.0404262310.5dd662ed@posting.google.com>, Yann Laviolette <yann_laviolette@gnome.org> wrote: >What is the difference between the bit -L and the bit -R. I've read >the man of SSH on Fedora. It's seems to be simple but in practice, I >don't understand. Example: "ssh -L 2000:1.2.3.4:2000 server" is a "local" forward and will listen on the client (ie the machine you ssh'ed from) on port 2000. If something connects to the client on port 2000, a "channel" will be opened inside the SSH connection and the server will connect to 1.2.3.4 on port 2000. Any data sent or received will be forwarded over this channel. In contrast, "ssh -R 2000:1.2.3.4:2000 server" is a "remote" forward, which will cause the *server* to listen o...

Symantec 200R Firewall port forwarding remote desktop security
Hi, I have set up the 200R to allow a virtual server for port 3389 so that I can connect to our remote server using terminal services to the public Internet IP address. It all works OK but I have disabled it because of security reasons. Two questions:- Is there any way to tie down this access to my own PC or network? Can I make the port appear in Stealth mode rather than Open? Regards, Vic Vic Russell wrote: > Hi, > I have set up the 200R to allow a virtual server for port 3389 so that I > can connect to our remote server using terminal services to the public > Internet ...

ssh port forward
Hi, Im trying to set up ssh local port forward. But I dont know the ports to connect to on the remote machine beforehand. Is it possible to setup forward for a range of ports? thanks rc You can specify multiple ports to forward on the command line, or establish a VPN if you have the need for UDP. See: http://www.securitybulletins.com/mediawiki/index.php/SSH_Tunnelling for info on both types. Doug On 21 Nov 2006 15:57:54 -0800 chandranramesh@gmail.com wrote: > Hi, > > Im trying to set up ssh local port forward. > But I dont know the ports to connect to on the remote machine > beforehand. > > Is it possible to setup forward for a range of ports? -- For UNIX, Linux and security articles visit http://SecurityBulletins.com/ In article <1164153474.108673.130230@b28g2000cwb.googlegroups.com> chandranramesh@gmail.com writes: > >Im trying to set up ssh local port forward. >But I dont know the ports to connect to on the remote machine >beforehand. You could perhaps use OpenSSH's "dynamic" port forwarding, i.e. SOCKS - see the -D option. >Is it possible to setup forward for a range of ports? Not as such (with OpenSSH), though (with OpenSSH) you can AFAIK give any number of -L options - i.e. a range is just a matter of giving one -L option for every port in the range. A bit verbose, but the end result would be the same - ssh (any flavour) would need to open a separate socket for every port in the range, the...

Port Forwarding and Multiple SSH Servers
Behind my firewall I have several SSH servers that I connect to with something like: ssh -p xx user@firewall_IP_address and then the firewall forwards it to the correct server, generally running some version of Linux. The problem is this error message: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx. Please contact your system administrator. Add correct host key in /home/user/.ssh/known_hosts to get rid of this message. Offending key in /home/user/.ssh/known_hosts:19 Password authentication is disabled to avoid man-in-the-middle attacks. Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks. X11 forwarding is disabled to avoid man-in-the-middle attacks. Permission denied (publickey,password,keyboard-interactive). On the client system $HOME/.ssh/config I've put : Host firewall_IP_address StrictHostkeyChecking no but I still get the error message. My workaound is to remove the key in known_hosts and then connect but I need to find a better solution. Is there one? The client is cygwin running on WinXP. Thanks...

remote host access on a remote forwarded port
Hi, I tried to connect my home lan to my office. So I want to use VNC in order to forward only one port. Because of the firewall of my office(I don't manage), I want to create a tunnel by this way : LAN(OFFICE)->OFFICE_FIREWALL->(INTERNET)->HOME_FIREWALL->LAN(HOME) to be able to use VNC by this way : VNCClient(HOME)->(tunnel)->VNCServer(OFFICE) I use port 443 to bypass the firewall of my office. So I use the commands : OFFICE: ssh -g -R 5900:VNCServer:5900 -p 443 HOME_FIREWALL HOME: vncclient HOME_FIREWALL But it looks like if the -g option doesn't work with -R option ? Is that true ? Thanks in advance ! Regards PS : sorry for my english ! :) ...

port tunneling over ssh (not port-forwarding in the traditional sense)
Does anybody know of a way to do port forwarding over ssh not using the standard ssh functionality, but rather by running a utility on the server and using a special client that forwards data through the terminal session. I think PPP and slirp would do the job, but I would prefer to have a standalone client that exists solely to forward one (or several) ports, rather than acting as my main network connection. > Does anybody know of a way to do port forwarding over ssh not using the > standard ssh functionality, but rather by running a utility on the server > and using a spe...

Ports for DB2 behind firewall / ssh port forward
hi newsgroup, I'd like to connect to a remote DB2 Database V 8.2 using the "DB2 Steuerzentrale" (I guess it's called something like "DB2 management console" in the English version). Since the database host is behind a firewall I tried to communicate through ssh port forwarding. Therefore, I run: ssh -L 6789:remotename:6789 -L 50000:remotename:50000 -L 50001:remotename:50001 -L 523:remotename:523 remotename Though the ssh connection is established, my "DB2 Steuerzentrale" won't connect to localhost successfully and shows an error num...

Warning: remote port forwarding failed for listen port 4043
I have a script that does a port forwarding for me: ssh -n -R localhost:4043:localhost:22 remoteserver.example.com The problem with this is that if port forwarding fails, ssh prints Warning: remote port forwarding failed for listen port 4043 But it STAYS CONNECTED instead of properly failing with exit code. So it is a MAJOR pain to detect this condition and kill ssh. How can I change is so that, when report port forwarding cannot be accomplished, ssh exits right away? I think that it is a bug, period. thanks i >>>>> "Ignoramus3694" == Ignoramus3694 <ignoramus3694@NOSPAM.3694.invalid> writes: Ignoramus3694> I have a script that does a port forwarding for me: ssh Ignoramus3694> -n -R localhost:4043:localhost:22 Ignoramus3694> remoteserver.example.com Ignoramus3694> The problem with this is that if port forwarding fails, Ignoramus3694> ssh prints Ignoramus3694> Warning: remote port forwarding failed for listen port Ignoramus3694> 4043 Ignoramus3694> But it STAYS CONNECTED instead of properly failing with Ignoramus3694> exit code. Ignoramus3694> So it is a MAJOR pain to detect this condition and kill Ignoramus3694> ssh. Ignoramus3694> How can I change is so that, when report port Ignoramus3694> forwarding cannot be accomplished, ssh exits right Ignoramus3694> away? Reading the documentation [ssh_config(5)]: ExitOnForwardFai...

Port forwarding question
Greetings to all, Here is the issue that I do not know how to resolve. There is a Debian based internet gateway with iptables firewall. There are 3 servers currently running, all 3 with up and running web servers (apache, apache2 and IIS). How can I direct traffic from the Internet to the web server that is not on gateway, but in the local network? In addition, how can enable users from the internet to use *all* 3 web servers at their discretion (for example, when user writes www.mydomain.net/server1 - IIS on local IP x.x.x.y server pops out, www.mydomain.net/server2 -apache2 server on local...

Port security question
Hey all. I'm running SQL server 2000, on W2K server. All the latest patches/etc for both installed. I've a need to allow remote access to the DB. I have a strong password on the sa account, and have completed the various security checklists on the MS website, including running the baseline security program they provide. Due to the nature of the application, windows authentication is not possible. Besides someone trying to hack in via a password guess, are there any other things I need to worry about? Again, all the latest patches and what not are installed. Thanks Matt Matt (ma...

ssh security question
I just regenerated the keys on one of my F14 systems. I am still able to access systems which don't have the new public key in their authorized_keys file. The one thing I did differently this time was that I did an ssh-add after I regenerated the keys. I did the ssh-add because putting the new public key into the authorized_keys files of my other systems wasn't sufficient to give me access. After the ssh-add I could access the other systems, however I could also access systems that don't have the new authorized_keys file. Does ssh-add keep the old keys in the authentication...

ssh port forwarding
Hello! Please, explain me where I'm wrong. I have two machines with linux and FreeBSD and I desire to have a secure tunel for HTTP between them. So I make it in the following way: linux@lunc:~$ ssh -2 -L 1234:localhost:6661 lunc@freebsd freebsd@lunc|~$ and afer that I tried to make following HTTP request "http://localhost:1234/" on my linux box by Firefox browser. However, I saw by tcpdump that http wasn't tuneled: linux@root# tcpdump -X -s 128 -v port 6661 ......... 19:47:07.980462 IP (tos 0x0, ttl 64, id 62776, offset 0, flags [DF], proto: TCP (6), le...

Port forwarding question
Are there any tools out there that will do the following? In a nutshell, I would like one process that would listen on two ports on one machine, and one that would initiate a connection on two ports on another machine, allowing a server application to be on machine that initiates a connection to the client machine. I know this is not very clear, so hear is an example: On a webserver, I would run this tool to initiate a connection to port 80 on localhost, and initate another connection to port 777 on a client machine. On the client machine, I would run the tool to listen to port 777, as well as port 80. Then, when I navigate to http://locahost on the client machine, I get a page from the webserver, but the WEBSERVER MACHINE is the one who initiated the TCP/IP connection. I don't think this tool would be that difficult to make, but I figure something like this is already out there? Thanks Dave Spam Tester wrote: > Are there any tools out there that will do the following? In a nutshell, I > would like one process that would listen on two ports on one machine, and > one that would initiate a connection on two ports on another machine, > allowing a server application to be on machine that initiates a connection > to the client machine. I know this is not very clear, so hear is an example: Hi, this is known as "port forwarding" (look at http://en.wikipedia.org/wiki/Port_forwarding). Depending on which platfor...

some question about port forwarding(?)
Hi i got a problem with somewhat port forwarding(?). here's my situation i'm in newtwork controled by some firewall. and it blocked all connection to server A(xxx.xxx.xxx.xxx) but i wanna connect server A, so i use ssh tunneling with my server B(yyy.yyy.yyy.yyy) in outside of that network assume the port is 80, then it shows localhost:80 <-> B:80 <-> A:80 so i can connect A:80, using localhost:80 but this is only possible, when i can change servername A(xxx.xxx.xxx.xxx) -> localhost i mean, if servername A is just builtin thing in some application and ...

Remote Port Forwarding
Hello group, I've been trying the past few days now to set up remote port forwarding. I've been seeing other people ask this question but never any solutions. My scenerio that I am trying to accomplish is as follows: Home Computer - Home FW - Internet - Work SSH Server <- VNC Viewer Workstation Home Computer opens a plink ssh session to my Work ssh server and establishes Port forwarding. plink -l testuser -R 5900:localhost:5900 ip_of_remote_server When I open VNC and attempt a connection to the Work SSH Server, the connection fails. I try doing verbose mode for the ssh conection and I see absolutely no traffic. I've also tried this in a test environment using putty and plink to two redhat servers and I have yet to get the remote port forwarding to work. Local works fine though, but it doesn't work for my situation since I have a DSL and an unroutable IP on the modem. Any thoughts or comments would be greatly appreciated. I apologize too if I explained my problem badly. Thanks! Mike I would think that you forgot the -g option on the work ssh server command. However just looking at plink it does not appear to offer the -g option that an ssh command line would. Maybe someone else here knows more since I haven't used plink much. On an ssh command line like ssh -l user -g -R 5900:localhost:5900 sshserver (hope I typed that right) The -g to allow other hosts to connect to that port otherwise it only binds to the local loopback adapter. ...

SSH Port forwarding
Hi All, I am running an application over telnet interface on port say 5566 So I generally connect telnet <hostname> 5566. How to connect to the application via ssh (using ssh portforwarding.) Thanks and Regards, Jc Jc wrote: > Hi All, > > I am running an application over telnet interface on port say 5566 > So I generally connect telnet <hostname> 5566. > > How to connect to the application via ssh (using ssh portforwarding.) > > Thanks and Regards, > Jc > ssh -L 5566:localhost:5566 userid@remotehost telnet localhost 5566 Hi, Thanks. It works. But what happens is it directly logged into the remotehost which I don't want. I want the user to get only the info through the port 5566 (ssh). Any way? Thanks in advance, Jc Chuck wrote: > Jc wrote: > > Hi All, > > > > I am running an application over telnet interface on port say 5566 > > So I generally connect telnet <hostname> 5566. > > > > How to connect to the application via ssh (using ssh portforwarding.) > > > > Thanks and Regards, > > Jc > > > > ssh -L 5566:localhost:5566 userid@remotehost > > telnet localhost 5566 On 9 Jan 2007 23:38:46 -0800 "Jc" <ramschitra@gmail.com> wrote: > Hi, > Thanks. It works. > But what happens is it directly logged into the remotehost which I > don't want. I want the user to get only the info through the port 5566 > (ssh)...

Web resources about - Question concerning remote port-forwarding with SSH - comp.security.misc

Port forwarding - Wikipedia, the free encyclopedia
The destination may be a predetermined network port (assuming protocols like TCP and UDP , though the process is not limited to these) on a host ...

iptables howto port forwarding - Google Search
Tags: iptables , networking, port forwarding .... 5 days looking for information on how to forward ports through my Linux gateway and read almost ...

How to set up port forwarding
... great when it works, but once it does, we just want to leave it alone. But if you've ever run into an app or service that requires "port forwarding" ...

Set up port forwarding with an AirPort base station
We show you how to navigate the treacherous networking waters by setting up port forwarding.

Port Forwarding Issue Exposes Real IP of VPN Users
Users’ real IP addresses have been exposed by some VPN service providers that offer port forwarding, experts warned on Thursday. According to ...

All VPN users exposed by port forwarding flop
Torrent users especially exposed by IPSec, PPTP and OpenVPN mess Virtual Private Network (VPN) protocols have a bug that lets attackers identify ...

How To Setup Port Forwarding
... hosting services (web service, FTP service, game server) on your home network computers accessible from the Internet, then port forwarding is ...

IPTables and Port Forwarding? 41
$hy_guy asks: "I have been totally striking out finding some info on how to do port forwarding in Linux. I am currently running Mandrake 8.1 ...

VPN users menaced by port forwarding blunder
Torrent users especially exposed by IPSec, PPTP and OpenVPN mess, we're told

Set up port forwarding with an AirPort base station
We show you how to navigate the treacherous networking waters by setting up port forwarding.

Resources last updated: 3/10/2016 10:55:06 AM