Difference between “local port forwarding” and “dynamic port forwarding”?












11















I am trying to understand the difference between "local port forwarding" and "dynamic port forwarding".



In the ssh command for "local port forwarding", is it always required to specify the destination host?



Does "dynamic" in "dynamic port forwarding" mean that, in the ssh command for "dynamic port forwarding", there is no need to specify the destination host? if yes, when is the destination specified?










share|improve this question























  • superuser.com/questions/271616/…

    – muru
    Jul 1 '15 at 3:01
















11















I am trying to understand the difference between "local port forwarding" and "dynamic port forwarding".



In the ssh command for "local port forwarding", is it always required to specify the destination host?



Does "dynamic" in "dynamic port forwarding" mean that, in the ssh command for "dynamic port forwarding", there is no need to specify the destination host? if yes, when is the destination specified?










share|improve this question























  • superuser.com/questions/271616/…

    – muru
    Jul 1 '15 at 3:01














11












11








11


6






I am trying to understand the difference between "local port forwarding" and "dynamic port forwarding".



In the ssh command for "local port forwarding", is it always required to specify the destination host?



Does "dynamic" in "dynamic port forwarding" mean that, in the ssh command for "dynamic port forwarding", there is no need to specify the destination host? if yes, when is the destination specified?










share|improve this question














I am trying to understand the difference between "local port forwarding" and "dynamic port forwarding".



In the ssh command for "local port forwarding", is it always required to specify the destination host?



Does "dynamic" in "dynamic port forwarding" mean that, in the ssh command for "dynamic port forwarding", there is no need to specify the destination host? if yes, when is the destination specified?







ssh port-forwarding






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jul 1 '15 at 1:14









TimTim

28.2k78269490




28.2k78269490













  • superuser.com/questions/271616/…

    – muru
    Jul 1 '15 at 3:01



















  • superuser.com/questions/271616/…

    – muru
    Jul 1 '15 at 3:01

















superuser.com/questions/271616/…

– muru
Jul 1 '15 at 3:01





superuser.com/questions/271616/…

– muru
Jul 1 '15 at 3:01










2 Answers
2






active

oldest

votes


















12














Yes, you have to specify a destination IP and port when using local forwarding. From man ssh:



 -L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be
forwarded to the given host and port on the remote side.


Clearly, only the bind address is optional.



No, you can't specify a destination host or port when using dynamic forwarding. In dynamic forwarding, SSH acts as a SOCKS proxy. Again from the manpage (emphasis mine):




-D [bind_address:]port
Specifies a local “dynamic” application-level port forwarding.
This works by allocating a socket to listen to port on the local
side, optionally bound to the specified bind_address. Whenever a
connection is made to this port, the connection is forwarded over
the secure channel, and the application protocol is then used to
determine where to connect to from the remote machine.
Currently
the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
as a SOCKS server.


With -L, SSH makes no attempt to understand the traffic. It just sends everything it receives on the local port to the target port - you determine the target port at the time the connection is made. With -D, SSH acts as a proxy server, and therefore can handle connections from multiple ports (for example, a browser configured to use it as a SOCKS proxy can then access HTTP, HTTPS, FTP, etc. over the same connection). And like with other proxy servers, it will use the traffic to determine the destination.






share|improve this answer



















  • 1





    Thanks, muru! I wonder why is dynamic forwarding is called a proxy, while local forwarding isn't? By definition, is the ssh server, ssh client or both in local forwarding a proxy (server)? unix.stackexchange.com/a/234184/674

    – Tim
    Oct 7 '15 at 16:53






  • 1





    @Tim a proxy server understands what the protocol that it is proxying. With port forwarding, SSH makes no attempt to understand what protocol is coming its way, but with -D, it has to, in order to understand where to send the data.

    – muru
    Oct 7 '15 at 16:58











  • Thanks. I searched in some textbooks of computer networks (e.g. Tanenbaum's) for definition for a proxy (server) as clear as yours, but wasn't satisfied. Do you have some books to recommend for learning concepts?

    – Tim
    Oct 7 '15 at 17:01













  • In dynamic port forwarding, which is the proxy server, the ssh client, ssh server or both?

    – Tim
    Oct 7 '15 at 17:03











  • @Tim Tanenbaum's was the only book I studied from. The rest comes from using things.

    – muru
    Oct 7 '15 at 17:03



















0














Another way to learn this concept would be to take a look at how a client connects to amazon's elastic map reduce (EMR) cluster. EMR has a bunch of local apps that it exposes and these are normally accessed via SSH tunnels.



There are 2 options for a client:
A) Local port forward
SSH command:
ssh -i key.pem -L 8157:a.b.c.d:8088 hadoop@a.b.c.d



Here the client says for example, that 8157 on localhost gets forwarded to a.b.c.d:8088
The client has to make a request to the localhost:
http://localhost:8157
Other applications could be listening on ports such as 8089,8090, and the client has to make ssh connections for each one of these.



B) Dynamic port forward
Here a single SSH command is used:
ssh -i key.pem -D 8157 hadoop@a.b.c.d



Any traffic going in on port 8157 will be routed via the ssh tunnel. The destination of the traffic will be the URL's destination. For example, you can use a proxy-client on your webserver and redirect some http URI's to use the proxy. You can access all your applications on 8089,8090 via a single command.



For reference, see this doc:
https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-web-interfaces.html






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "106"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f213213%2fdifference-between-local-port-forwarding-and-dynamic-port-forwarding%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    12














    Yes, you have to specify a destination IP and port when using local forwarding. From man ssh:



     -L [bind_address:]port:host:hostport
    Specifies that the given port on the local (client) host is to be
    forwarded to the given host and port on the remote side.


    Clearly, only the bind address is optional.



    No, you can't specify a destination host or port when using dynamic forwarding. In dynamic forwarding, SSH acts as a SOCKS proxy. Again from the manpage (emphasis mine):




    -D [bind_address:]port
    Specifies a local “dynamic” application-level port forwarding.
    This works by allocating a socket to listen to port on the local
    side, optionally bound to the specified bind_address. Whenever a
    connection is made to this port, the connection is forwarded over
    the secure channel, and the application protocol is then used to
    determine where to connect to from the remote machine.
    Currently
    the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
    as a SOCKS server.


    With -L, SSH makes no attempt to understand the traffic. It just sends everything it receives on the local port to the target port - you determine the target port at the time the connection is made. With -D, SSH acts as a proxy server, and therefore can handle connections from multiple ports (for example, a browser configured to use it as a SOCKS proxy can then access HTTP, HTTPS, FTP, etc. over the same connection). And like with other proxy servers, it will use the traffic to determine the destination.






    share|improve this answer



















    • 1





      Thanks, muru! I wonder why is dynamic forwarding is called a proxy, while local forwarding isn't? By definition, is the ssh server, ssh client or both in local forwarding a proxy (server)? unix.stackexchange.com/a/234184/674

      – Tim
      Oct 7 '15 at 16:53






    • 1





      @Tim a proxy server understands what the protocol that it is proxying. With port forwarding, SSH makes no attempt to understand what protocol is coming its way, but with -D, it has to, in order to understand where to send the data.

      – muru
      Oct 7 '15 at 16:58











    • Thanks. I searched in some textbooks of computer networks (e.g. Tanenbaum's) for definition for a proxy (server) as clear as yours, but wasn't satisfied. Do you have some books to recommend for learning concepts?

      – Tim
      Oct 7 '15 at 17:01













    • In dynamic port forwarding, which is the proxy server, the ssh client, ssh server or both?

      – Tim
      Oct 7 '15 at 17:03











    • @Tim Tanenbaum's was the only book I studied from. The rest comes from using things.

      – muru
      Oct 7 '15 at 17:03
















    12














    Yes, you have to specify a destination IP and port when using local forwarding. From man ssh:



     -L [bind_address:]port:host:hostport
    Specifies that the given port on the local (client) host is to be
    forwarded to the given host and port on the remote side.


    Clearly, only the bind address is optional.



    No, you can't specify a destination host or port when using dynamic forwarding. In dynamic forwarding, SSH acts as a SOCKS proxy. Again from the manpage (emphasis mine):




    -D [bind_address:]port
    Specifies a local “dynamic” application-level port forwarding.
    This works by allocating a socket to listen to port on the local
    side, optionally bound to the specified bind_address. Whenever a
    connection is made to this port, the connection is forwarded over
    the secure channel, and the application protocol is then used to
    determine where to connect to from the remote machine.
    Currently
    the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
    as a SOCKS server.


    With -L, SSH makes no attempt to understand the traffic. It just sends everything it receives on the local port to the target port - you determine the target port at the time the connection is made. With -D, SSH acts as a proxy server, and therefore can handle connections from multiple ports (for example, a browser configured to use it as a SOCKS proxy can then access HTTP, HTTPS, FTP, etc. over the same connection). And like with other proxy servers, it will use the traffic to determine the destination.






    share|improve this answer



















    • 1





      Thanks, muru! I wonder why is dynamic forwarding is called a proxy, while local forwarding isn't? By definition, is the ssh server, ssh client or both in local forwarding a proxy (server)? unix.stackexchange.com/a/234184/674

      – Tim
      Oct 7 '15 at 16:53






    • 1





      @Tim a proxy server understands what the protocol that it is proxying. With port forwarding, SSH makes no attempt to understand what protocol is coming its way, but with -D, it has to, in order to understand where to send the data.

      – muru
      Oct 7 '15 at 16:58











    • Thanks. I searched in some textbooks of computer networks (e.g. Tanenbaum's) for definition for a proxy (server) as clear as yours, but wasn't satisfied. Do you have some books to recommend for learning concepts?

      – Tim
      Oct 7 '15 at 17:01













    • In dynamic port forwarding, which is the proxy server, the ssh client, ssh server or both?

      – Tim
      Oct 7 '15 at 17:03











    • @Tim Tanenbaum's was the only book I studied from. The rest comes from using things.

      – muru
      Oct 7 '15 at 17:03














    12












    12








    12







    Yes, you have to specify a destination IP and port when using local forwarding. From man ssh:



     -L [bind_address:]port:host:hostport
    Specifies that the given port on the local (client) host is to be
    forwarded to the given host and port on the remote side.


    Clearly, only the bind address is optional.



    No, you can't specify a destination host or port when using dynamic forwarding. In dynamic forwarding, SSH acts as a SOCKS proxy. Again from the manpage (emphasis mine):




    -D [bind_address:]port
    Specifies a local “dynamic” application-level port forwarding.
    This works by allocating a socket to listen to port on the local
    side, optionally bound to the specified bind_address. Whenever a
    connection is made to this port, the connection is forwarded over
    the secure channel, and the application protocol is then used to
    determine where to connect to from the remote machine.
    Currently
    the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
    as a SOCKS server.


    With -L, SSH makes no attempt to understand the traffic. It just sends everything it receives on the local port to the target port - you determine the target port at the time the connection is made. With -D, SSH acts as a proxy server, and therefore can handle connections from multiple ports (for example, a browser configured to use it as a SOCKS proxy can then access HTTP, HTTPS, FTP, etc. over the same connection). And like with other proxy servers, it will use the traffic to determine the destination.






    share|improve this answer













    Yes, you have to specify a destination IP and port when using local forwarding. From man ssh:



     -L [bind_address:]port:host:hostport
    Specifies that the given port on the local (client) host is to be
    forwarded to the given host and port on the remote side.


    Clearly, only the bind address is optional.



    No, you can't specify a destination host or port when using dynamic forwarding. In dynamic forwarding, SSH acts as a SOCKS proxy. Again from the manpage (emphasis mine):




    -D [bind_address:]port
    Specifies a local “dynamic” application-level port forwarding.
    This works by allocating a socket to listen to port on the local
    side, optionally bound to the specified bind_address. Whenever a
    connection is made to this port, the connection is forwarded over
    the secure channel, and the application protocol is then used to
    determine where to connect to from the remote machine.
    Currently
    the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
    as a SOCKS server.


    With -L, SSH makes no attempt to understand the traffic. It just sends everything it receives on the local port to the target port - you determine the target port at the time the connection is made. With -D, SSH acts as a proxy server, and therefore can handle connections from multiple ports (for example, a browser configured to use it as a SOCKS proxy can then access HTTP, HTTPS, FTP, etc. over the same connection). And like with other proxy servers, it will use the traffic to determine the destination.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Jul 1 '15 at 3:08









    murumuru

    36.5k589163




    36.5k589163








    • 1





      Thanks, muru! I wonder why is dynamic forwarding is called a proxy, while local forwarding isn't? By definition, is the ssh server, ssh client or both in local forwarding a proxy (server)? unix.stackexchange.com/a/234184/674

      – Tim
      Oct 7 '15 at 16:53






    • 1





      @Tim a proxy server understands what the protocol that it is proxying. With port forwarding, SSH makes no attempt to understand what protocol is coming its way, but with -D, it has to, in order to understand where to send the data.

      – muru
      Oct 7 '15 at 16:58











    • Thanks. I searched in some textbooks of computer networks (e.g. Tanenbaum's) for definition for a proxy (server) as clear as yours, but wasn't satisfied. Do you have some books to recommend for learning concepts?

      – Tim
      Oct 7 '15 at 17:01













    • In dynamic port forwarding, which is the proxy server, the ssh client, ssh server or both?

      – Tim
      Oct 7 '15 at 17:03











    • @Tim Tanenbaum's was the only book I studied from. The rest comes from using things.

      – muru
      Oct 7 '15 at 17:03














    • 1





      Thanks, muru! I wonder why is dynamic forwarding is called a proxy, while local forwarding isn't? By definition, is the ssh server, ssh client or both in local forwarding a proxy (server)? unix.stackexchange.com/a/234184/674

      – Tim
      Oct 7 '15 at 16:53






    • 1





      @Tim a proxy server understands what the protocol that it is proxying. With port forwarding, SSH makes no attempt to understand what protocol is coming its way, but with -D, it has to, in order to understand where to send the data.

      – muru
      Oct 7 '15 at 16:58











    • Thanks. I searched in some textbooks of computer networks (e.g. Tanenbaum's) for definition for a proxy (server) as clear as yours, but wasn't satisfied. Do you have some books to recommend for learning concepts?

      – Tim
      Oct 7 '15 at 17:01













    • In dynamic port forwarding, which is the proxy server, the ssh client, ssh server or both?

      – Tim
      Oct 7 '15 at 17:03











    • @Tim Tanenbaum's was the only book I studied from. The rest comes from using things.

      – muru
      Oct 7 '15 at 17:03








    1




    1





    Thanks, muru! I wonder why is dynamic forwarding is called a proxy, while local forwarding isn't? By definition, is the ssh server, ssh client or both in local forwarding a proxy (server)? unix.stackexchange.com/a/234184/674

    – Tim
    Oct 7 '15 at 16:53





    Thanks, muru! I wonder why is dynamic forwarding is called a proxy, while local forwarding isn't? By definition, is the ssh server, ssh client or both in local forwarding a proxy (server)? unix.stackexchange.com/a/234184/674

    – Tim
    Oct 7 '15 at 16:53




    1




    1





    @Tim a proxy server understands what the protocol that it is proxying. With port forwarding, SSH makes no attempt to understand what protocol is coming its way, but with -D, it has to, in order to understand where to send the data.

    – muru
    Oct 7 '15 at 16:58





    @Tim a proxy server understands what the protocol that it is proxying. With port forwarding, SSH makes no attempt to understand what protocol is coming its way, but with -D, it has to, in order to understand where to send the data.

    – muru
    Oct 7 '15 at 16:58













    Thanks. I searched in some textbooks of computer networks (e.g. Tanenbaum's) for definition for a proxy (server) as clear as yours, but wasn't satisfied. Do you have some books to recommend for learning concepts?

    – Tim
    Oct 7 '15 at 17:01







    Thanks. I searched in some textbooks of computer networks (e.g. Tanenbaum's) for definition for a proxy (server) as clear as yours, but wasn't satisfied. Do you have some books to recommend for learning concepts?

    – Tim
    Oct 7 '15 at 17:01















    In dynamic port forwarding, which is the proxy server, the ssh client, ssh server or both?

    – Tim
    Oct 7 '15 at 17:03





    In dynamic port forwarding, which is the proxy server, the ssh client, ssh server or both?

    – Tim
    Oct 7 '15 at 17:03













    @Tim Tanenbaum's was the only book I studied from. The rest comes from using things.

    – muru
    Oct 7 '15 at 17:03





    @Tim Tanenbaum's was the only book I studied from. The rest comes from using things.

    – muru
    Oct 7 '15 at 17:03













    0














    Another way to learn this concept would be to take a look at how a client connects to amazon's elastic map reduce (EMR) cluster. EMR has a bunch of local apps that it exposes and these are normally accessed via SSH tunnels.



    There are 2 options for a client:
    A) Local port forward
    SSH command:
    ssh -i key.pem -L 8157:a.b.c.d:8088 hadoop@a.b.c.d



    Here the client says for example, that 8157 on localhost gets forwarded to a.b.c.d:8088
    The client has to make a request to the localhost:
    http://localhost:8157
    Other applications could be listening on ports such as 8089,8090, and the client has to make ssh connections for each one of these.



    B) Dynamic port forward
    Here a single SSH command is used:
    ssh -i key.pem -D 8157 hadoop@a.b.c.d



    Any traffic going in on port 8157 will be routed via the ssh tunnel. The destination of the traffic will be the URL's destination. For example, you can use a proxy-client on your webserver and redirect some http URI's to use the proxy. You can access all your applications on 8089,8090 via a single command.



    For reference, see this doc:
    https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-web-interfaces.html






    share|improve this answer




























      0














      Another way to learn this concept would be to take a look at how a client connects to amazon's elastic map reduce (EMR) cluster. EMR has a bunch of local apps that it exposes and these are normally accessed via SSH tunnels.



      There are 2 options for a client:
      A) Local port forward
      SSH command:
      ssh -i key.pem -L 8157:a.b.c.d:8088 hadoop@a.b.c.d



      Here the client says for example, that 8157 on localhost gets forwarded to a.b.c.d:8088
      The client has to make a request to the localhost:
      http://localhost:8157
      Other applications could be listening on ports such as 8089,8090, and the client has to make ssh connections for each one of these.



      B) Dynamic port forward
      Here a single SSH command is used:
      ssh -i key.pem -D 8157 hadoop@a.b.c.d



      Any traffic going in on port 8157 will be routed via the ssh tunnel. The destination of the traffic will be the URL's destination. For example, you can use a proxy-client on your webserver and redirect some http URI's to use the proxy. You can access all your applications on 8089,8090 via a single command.



      For reference, see this doc:
      https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-web-interfaces.html






      share|improve this answer


























        0












        0








        0







        Another way to learn this concept would be to take a look at how a client connects to amazon's elastic map reduce (EMR) cluster. EMR has a bunch of local apps that it exposes and these are normally accessed via SSH tunnels.



        There are 2 options for a client:
        A) Local port forward
        SSH command:
        ssh -i key.pem -L 8157:a.b.c.d:8088 hadoop@a.b.c.d



        Here the client says for example, that 8157 on localhost gets forwarded to a.b.c.d:8088
        The client has to make a request to the localhost:
        http://localhost:8157
        Other applications could be listening on ports such as 8089,8090, and the client has to make ssh connections for each one of these.



        B) Dynamic port forward
        Here a single SSH command is used:
        ssh -i key.pem -D 8157 hadoop@a.b.c.d



        Any traffic going in on port 8157 will be routed via the ssh tunnel. The destination of the traffic will be the URL's destination. For example, you can use a proxy-client on your webserver and redirect some http URI's to use the proxy. You can access all your applications on 8089,8090 via a single command.



        For reference, see this doc:
        https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-web-interfaces.html






        share|improve this answer













        Another way to learn this concept would be to take a look at how a client connects to amazon's elastic map reduce (EMR) cluster. EMR has a bunch of local apps that it exposes and these are normally accessed via SSH tunnels.



        There are 2 options for a client:
        A) Local port forward
        SSH command:
        ssh -i key.pem -L 8157:a.b.c.d:8088 hadoop@a.b.c.d



        Here the client says for example, that 8157 on localhost gets forwarded to a.b.c.d:8088
        The client has to make a request to the localhost:
        http://localhost:8157
        Other applications could be listening on ports such as 8089,8090, and the client has to make ssh connections for each one of these.



        B) Dynamic port forward
        Here a single SSH command is used:
        ssh -i key.pem -D 8157 hadoop@a.b.c.d



        Any traffic going in on port 8157 will be routed via the ssh tunnel. The destination of the traffic will be the URL's destination. For example, you can use a proxy-client on your webserver and redirect some http URI's to use the proxy. You can access all your applications on 8089,8090 via a single command.



        For reference, see this doc:
        https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-web-interfaces.html







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Mar 4 at 16:09









        M GaM Ga

        1




        1






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f213213%2fdifference-between-local-port-forwarding-and-dynamic-port-forwarding%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            How to make a Squid Proxy server?

            Is this a new Fibonacci Identity?

            19世紀