Here is my problem. I'm not sure if it is a bug or a 'feature' but i don't know where else to ask. From my non-root account I forwarded a remote port with ssh like this: some_host$ ssh -R 20022:my_other_host:22 user@my_host when I tried to connect to forwarded port from another computer, like this: some_host$ ssh -p 20022 my_host i got the message: Connection refused. When I tried to conect from the host my_host where the port was forwarded from like this: my_host$ ssh -p 20022 localhost it worked O.K. When I did it from the same my_host like this: my_host$ ssh -p 20022 my_host it failed again. Forwarding of local ports form my_host works O.K. So by doing my_host$ ssh -gL 20022:my_other_host:22 user@some_host forwarding of port 20022 on my_host worked. I should mention that my_host has a firewall installed, but the port 20022 was permitted. We tested it with putting sshd to listen on 20022: my_host$ sshd -p 2002 and connecting to port 20022 from outside: some_host$ ssh -p 20022 and it worked. So the firewall probably isn't the problem. Port forwarding worked O.K. for other versions of SSH, only with OpenSSH it didn't. The OS is: FreeBSD 4.8-RELEASE #6 on: i386 AMD Athlon(tm) Processor The OpenSSH version is: OpenSSH_3.5p1 FreeBSD-20030201
This is a Feature. By default, port forwards listen only on the loopback interface, which means that only processes on the local machine can connect via the forward. You can see this with netstat: $ ssh -L 20022:127.0.0.1:22 myhost myhost> netstat -an Proto Recv-Q Send-Q Local Address Foreign Address State [snip] tcp 0 0 127.0.0.1:20022 0.0.0.0:* LISTEN As you saw, using -g (or GatewayPorts=yes) allows connections on any interface. This is known as a "wildcard binding" and shows a different "Local Address" in netstat: $ ssh -g -L 20022:127.0.0.1:22 myhost myhost> netstat -an Proto Recv-Q Send-Q Local Address Foreign Address State [snip] tcp 0 0 0.0.0.0:20022 0.0.0.0:* LISTEN Using GatewayPorts means that anyone who can connect to your machines can connect via your tunnel, which is why it defaults to listening on the loopback only. If you don't like the default you can put "GatewayPorts yes" in ssh_config. If different ssh software behaved differently, perhaps it has a different default or the config file had the equivalent of "GatewayPorts yes" set.
This ony partialy answers my question. I know about -g option, and it works O.K. for forwarding LOCAL port. But I wanted to forward port 20022 on my_host as a REMOTE port by connectin to my_host from some_host like this: some_host$ ssh -R 20022:my_other_host:22 user@my_host and it works only for local connections form my_host. Since the -g option doesn't help here, how do I get aorund this? Thx.
> Since the -g option doesn't help here, how do I get aorund this? Maybe by reading the docs, especially sshd_config(5)? -- snip -- GatewayPorts Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, sshd binds remote port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that sshd should bind remote port forwardings to the wildcard address, thus allowing remote hosts to connect to forwarded ports. The argument must be ``yes'' or ``no''. The default is ``no''. -- snap --
Sorry, missed that. At the moment that's controlled by the server-side GatewayPorts (ie in sshd_config). There's a patch attached to bug #413 (attachment #229 [details]) that allows greater control over which interface a remote port forward listens on (subject to the server's Gatewayports setting).
> Maybe by reading the docs, especially sshd_config(5)? This only relates to allowing connections to forwarded ports on the server side, but I don't have root access on the machine and cant change sshd configuration. I'd like to set forwarding completely on the clinet side.
> This only relates to allowing connections to forwarded ports > on the server side, but I don't have root access on the machine As you _are_ creating a forwarded port on the server side, this does relate to your problem. If you can't change the remote server's sshd_config, and can't convince the admin to change it (he'll maybe have a reason for not allowing gateway ports), there's nothing else you can do. It's a server option, not a client option.
Easy solution: ssh my_host (login) myhost% ssh -g -L 44000:other_host:22 (login again) with the second ssh, you are forwarding the LOCAL port for my_host, using the ssh client. which is quite legal to make a server port. Job done. Note: the connection between myhost and other_host is NOT being encrypted. You are simply using ssh as a port redirection tool at this poing. If you're connecting to an ssh demon on other_host, this isn't a problem. If you're doing pretty much anything else, you'd probably want to do: my_host% ssh -g -L 44000:localhost:25 other_host That would forward an encrypted channel to other_host that then connects to it's port 25 locally.
> Note: the connection between myhost and other_host is NOT being encrypted Yea, I'm completely aware of that, and familiar with how port forwarding works. But acctually only forwarding remote ports works for me since I want to forward a port from a machine I can't reach from outside regulary. Anyway, I'm in good relations with the system root on myhost so we set GatewayPorts yes and restarted sshd, and it worked. Thanks all for the info and help.