[deployment-guide/comm-rel: 30/41] Updated the Port Forwarding section.

dsilas dsilas at fedoraproject.org
Fri Jul 16 08:54:25 UTC 2010 

commit 19de19f9d7ca6a0a895bdcf01aca5aa0572836b7
Author: Jaromir Hradilek <jhradile at redhat.com>
Date:   Wed Jul 14 16:47:17 2010 +0200

    Updated the Port Forwarding section.

 en-US/OpenSSH.xml |   36 ++++++++++++++++++------------------
 1 files changed, 18 insertions(+), 18 deletions(-)
---
diff --git a/en-US/OpenSSH.xml b/en-US/OpenSSH.xml
index d9d122c..2434096 100644
--- a/en-US/OpenSSH.xml
+++ b/en-US/OpenSSH.xml
@@ -796,47 +796,47 @@ john at penguin.example.com's password:</screen>
         <secondary>port forwarding</secondary>
       </indexterm>
       <para>
-        SSH can secure otherwise insecure TCP/IP protocols via port forwarding. When using this technique, the SSH server becomes an encrypted conduit to the SSH client.
+        SSH can secure otherwise insecure <systemitem class="protocol">TCP/IP</systemitem> protocols via port forwarding. When using this technique, the SSH server becomes an encrypted conduit to the SSH client.
       </para>
       <para>
-        Port forwarding works by mapping a local port on the client to a remote port on the server. SSH can map any port from the server to any port on the client; port numbers do not need to match for this technique to work.
+        Port forwarding works by mapping a local port on the client to a remote port on the server. SSH can map any port from the server to any port on the client. Port numbers do not need to match for this technique to work.
       </para>
-      <para>
-        To create a TCP/IP port forwarding channel which listens for connections on the localhost, use the following command:
-      </para>
-      <screen>ssh -L <replaceable>local-port</replaceable>:<replaceable>remote-hostname</replaceable>:<replaceable>remote-port</replaceable> <replaceable>username</replaceable>@<replaceable>hostname</replaceable></screen>
       <note>
-        <title>Note</title>
+        <title>Note: Using Reserved Port Numbers</title>
         <para>
           Setting up port forwarding to listen on ports below 1024 requires root level access.
         </para>
       </note>
       <para>
-        To check email on a server called <command>mail.example.com</command> using POP3 through an encrypted connection, use the following command:
+        To create a TCP/IP port forwarding channel which listens for connections on the <systemitem class="domainname">localhost</systemitem>, use a command in the following form:
       </para>
-      <screen>ssh -L 1100:mail.example.com:110 mail.example.com</screen>
+      <screen><command>ssh -L <replaceable>local-port</replaceable>:<replaceable>remote-hostname</replaceable>:<replaceable>remote-port</replaceable> <replaceable>username</replaceable>@<replaceable>hostname</replaceable></command></screen>
       <para>
-        Once the port forwarding channel is in place between the client machine and the mail server, direct a POP3 mail client to use port 1100 on the localhost to check for new mail. Any requests sent to port 1100 on the client system are directed securely to the <command>mail.example.com</command> server.
+        For example, to check email on a server called <systemitem class="domainname">mail.example.com</systemitem> using <systemitem class="protocol">POP3</systemitem> through an encrypted connection, use the following command:
       </para>
+      <screen>~]$ <command>ssh -L 1100:mail.example.com:110 mail.example.com</command></screen>
       <para>
-        If <command>mail.example.com</command> is not running an SSH server, but another machine on the same network is, SSH can still be used to secure part of the connection. However, a slightly different command is necessary:
+        Once the port forwarding channel is in place between the client machine and the mail server, direct a POP3 mail client to use port <literal>1100</literal> on the <systemitem class="domainname">localhost</systemitem> to check for new email. Any requests sent to port <literal>1100</literal> on the client system will be directed securely to the <systemitem class="domainname">mail.example.com</systemitem> server.
       </para>
-      <screen>ssh -L 1100:mail.example.com:110 other.example.com</screen>
       <para>
-        In this example, POP3 requests from port 1100 on the client machine are forwarded through the SSH connection on port 22 to the SSH server, <command>other.example.com</command>. Then, <command>other.example.com</command> connects to port 110 on <command>mail.example.com</command> to check for new mail. Note, when using this technique only the connection between the client system and <command>other.example.com</command> SSH server is secure.
+        If <systemitem class="domainname">mail.example.com</systemitem> is not running an SSH server, but another machine on the same network is, SSH can still be used to secure part of the connection. However, a slightly different command is necessary:
       </para>
+      <screen>~]$ <command>ssh -L 1100:mail.example.com:110 other.example.com</command></screen>
       <para>
-        Port forwarding can also be used to get information securely through network firewalls. If the firewall is configured to allow SSH traffic via its standard port (22) but blocks access to other ports, a connection between two hosts using the blocked ports is still possible by redirecting their communication over an established SSH connection.
+        In this example, POP3 requests from port <literal>1100</literal> on the client machine are forwarded through the SSH connection on port <literal>22</literal> to the SSH server, <systemitem class="domainname">other.example.com</systemitem>. Then, <systemitem class="domainname">other.example.com</systemitem> connects to port <literal>110</literal> on <systemitem class="domainname">mail.example.com</systemitem> to check for new email. Note that when using this technique, only the connection between the client system and <systemitem class="domainname">other.example.com</systemitem> SSH server is secure.
       </para>
-      <note>
-        <title>Note</title>
+      <para>
+        Port forwarding can also be used to get information securely through network firewalls. If the firewall is configured to allow SSH traffic via its standard port (that is, port 22) but blocks access to other ports, a connection between two hosts using the blocked ports is still possible by redirecting their communication over an established SSH connection.
+      </para>
+      <important>
+        <title>Important: A Connection Is Only as Secure as a Client System</title>
         <para>
           Using port forwarding to forward connections in this manner allows any user on the client system to connect to that service. If the client system becomes compromised, the attacker also has access to forwarded services.
         </para>
         <para>
-          System administrators concerned about port forwarding can disable this functionality on the server by specifying a <command>No</command> parameter for the <command>AllowTcpForwarding</command> line in <filename>/etc/ssh/sshd_config</filename> and restarting the <command>sshd</command> service.
+          System administrators concerned about port forwarding can disable this functionality on the server by specifying a <option>No</option> parameter for the <option>AllowTcpForwarding</option> line in <filename>/etc/ssh/sshd_config</filename> and restarting the <command>sshd</command> service.
         </para>
-      </note>
+      </important>
     </section>
     <section id="s2-openssh-generate-keypairs">
       <title>Generating Key Pairs</title>

More information about the docs-commits mailing list