Difference between “local port forwarding” and “dynamic port forwarding”?
I am trying to understand the difference between "local port forwarding" and "dynamic port forwarding".
In the ssh command for "local port forwarding", is it always required to specify the destination host?
Does "dynamic" in "dynamic port forwarding" mean that, in the ssh command for "dynamic port forwarding", there is no need to specify the destination host? if yes, when is the destination specified?
ssh port-forwarding
add a comment |
I am trying to understand the difference between "local port forwarding" and "dynamic port forwarding".
In the ssh command for "local port forwarding", is it always required to specify the destination host?
Does "dynamic" in "dynamic port forwarding" mean that, in the ssh command for "dynamic port forwarding", there is no need to specify the destination host? if yes, when is the destination specified?
ssh port-forwarding
superuser.com/questions/271616/…
– muru
Jul 1 '15 at 3:01
add a comment |
I am trying to understand the difference between "local port forwarding" and "dynamic port forwarding".
In the ssh command for "local port forwarding", is it always required to specify the destination host?
Does "dynamic" in "dynamic port forwarding" mean that, in the ssh command for "dynamic port forwarding", there is no need to specify the destination host? if yes, when is the destination specified?
ssh port-forwarding
I am trying to understand the difference between "local port forwarding" and "dynamic port forwarding".
In the ssh command for "local port forwarding", is it always required to specify the destination host?
Does "dynamic" in "dynamic port forwarding" mean that, in the ssh command for "dynamic port forwarding", there is no need to specify the destination host? if yes, when is the destination specified?
ssh port-forwarding
ssh port-forwarding
asked Jul 1 '15 at 1:14
TimTim
28.2k78269490
28.2k78269490
superuser.com/questions/271616/…
– muru
Jul 1 '15 at 3:01
add a comment |
superuser.com/questions/271616/…
– muru
Jul 1 '15 at 3:01
superuser.com/questions/271616/…
– muru
Jul 1 '15 at 3:01
superuser.com/questions/271616/…
– muru
Jul 1 '15 at 3:01
add a comment |
2 Answers
2
active
oldest
votes
Yes, you have to specify a destination IP and port when using local forwarding. From man ssh
:
-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be
forwarded to the given host and port on the remote side.
Clearly, only the bind address is optional.
No, you can't specify a destination host or port when using dynamic forwarding. In dynamic forwarding, SSH acts as a SOCKS proxy. Again from the manpage (emphasis mine):
-D [bind_address:]port
Specifies a local “dynamic” application-level port forwarding.
This works by allocating a socket to listen to port on the local
side, optionally bound to the specified bind_address. Whenever a
connection is made to this port, the connection is forwarded over
the secure channel, and the application protocol is then used to
determine where to connect to from the remote machine. Currently
the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
as a SOCKS server.
With -L
, SSH makes no attempt to understand the traffic. It just sends everything it receives on the local port to the target port - you determine the target port at the time the connection is made. With -D
, SSH acts as a proxy server, and therefore can handle connections from multiple ports (for example, a browser configured to use it as a SOCKS proxy can then access HTTP, HTTPS, FTP, etc. over the same connection). And like with other proxy servers, it will use the traffic to determine the destination.
1
Thanks, muru! I wonder why is dynamic forwarding is called a proxy, while local forwarding isn't? By definition, is the ssh server, ssh client or both in local forwarding a proxy (server)? unix.stackexchange.com/a/234184/674
– Tim
Oct 7 '15 at 16:53
1
@Tim a proxy server understands what the protocol that it is proxying. With port forwarding, SSH makes no attempt to understand what protocol is coming its way, but with-D
, it has to, in order to understand where to send the data.
– muru
Oct 7 '15 at 16:58
Thanks. I searched in some textbooks of computer networks (e.g. Tanenbaum's) for definition for a proxy (server) as clear as yours, but wasn't satisfied. Do you have some books to recommend for learning concepts?
– Tim
Oct 7 '15 at 17:01
In dynamic port forwarding, which is the proxy server, the ssh client, ssh server or both?
– Tim
Oct 7 '15 at 17:03
@Tim Tanenbaum's was the only book I studied from. The rest comes from using things.
– muru
Oct 7 '15 at 17:03
|
show 1 more comment
Another way to learn this concept would be to take a look at how a client connects to amazon's elastic map reduce (EMR) cluster. EMR has a bunch of local apps that it exposes and these are normally accessed via SSH tunnels.
There are 2 options for a client:
A) Local port forward
SSH command:
ssh -i key.pem -L 8157:a.b.c.d:8088 hadoop@a.b.c.d
Here the client says for example, that 8157 on localhost gets forwarded to a.b.c.d:8088
The client has to make a request to the localhost:
http://localhost:8157
Other applications could be listening on ports such as 8089,8090, and the client has to make ssh connections for each one of these.
B) Dynamic port forward
Here a single SSH command is used:
ssh -i key.pem -D 8157 hadoop@a.b.c.d
Any traffic going in on port 8157 will be routed via the ssh tunnel. The destination of the traffic will be the URL's destination. For example, you can use a proxy-client on your webserver and redirect some http URI's to use the proxy. You can access all your applications on 8089,8090 via a single command.
For reference, see this doc:
https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-web-interfaces.html
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f213213%2fdifference-between-local-port-forwarding-and-dynamic-port-forwarding%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Yes, you have to specify a destination IP and port when using local forwarding. From man ssh
:
-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be
forwarded to the given host and port on the remote side.
Clearly, only the bind address is optional.
No, you can't specify a destination host or port when using dynamic forwarding. In dynamic forwarding, SSH acts as a SOCKS proxy. Again from the manpage (emphasis mine):
-D [bind_address:]port
Specifies a local “dynamic” application-level port forwarding.
This works by allocating a socket to listen to port on the local
side, optionally bound to the specified bind_address. Whenever a
connection is made to this port, the connection is forwarded over
the secure channel, and the application protocol is then used to
determine where to connect to from the remote machine. Currently
the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
as a SOCKS server.
With -L
, SSH makes no attempt to understand the traffic. It just sends everything it receives on the local port to the target port - you determine the target port at the time the connection is made. With -D
, SSH acts as a proxy server, and therefore can handle connections from multiple ports (for example, a browser configured to use it as a SOCKS proxy can then access HTTP, HTTPS, FTP, etc. over the same connection). And like with other proxy servers, it will use the traffic to determine the destination.
1
Thanks, muru! I wonder why is dynamic forwarding is called a proxy, while local forwarding isn't? By definition, is the ssh server, ssh client or both in local forwarding a proxy (server)? unix.stackexchange.com/a/234184/674
– Tim
Oct 7 '15 at 16:53
1
@Tim a proxy server understands what the protocol that it is proxying. With port forwarding, SSH makes no attempt to understand what protocol is coming its way, but with-D
, it has to, in order to understand where to send the data.
– muru
Oct 7 '15 at 16:58
Thanks. I searched in some textbooks of computer networks (e.g. Tanenbaum's) for definition for a proxy (server) as clear as yours, but wasn't satisfied. Do you have some books to recommend for learning concepts?
– Tim
Oct 7 '15 at 17:01
In dynamic port forwarding, which is the proxy server, the ssh client, ssh server or both?
– Tim
Oct 7 '15 at 17:03
@Tim Tanenbaum's was the only book I studied from. The rest comes from using things.
– muru
Oct 7 '15 at 17:03
|
show 1 more comment
Yes, you have to specify a destination IP and port when using local forwarding. From man ssh
:
-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be
forwarded to the given host and port on the remote side.
Clearly, only the bind address is optional.
No, you can't specify a destination host or port when using dynamic forwarding. In dynamic forwarding, SSH acts as a SOCKS proxy. Again from the manpage (emphasis mine):
-D [bind_address:]port
Specifies a local “dynamic” application-level port forwarding.
This works by allocating a socket to listen to port on the local
side, optionally bound to the specified bind_address. Whenever a
connection is made to this port, the connection is forwarded over
the secure channel, and the application protocol is then used to
determine where to connect to from the remote machine. Currently
the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
as a SOCKS server.
With -L
, SSH makes no attempt to understand the traffic. It just sends everything it receives on the local port to the target port - you determine the target port at the time the connection is made. With -D
, SSH acts as a proxy server, and therefore can handle connections from multiple ports (for example, a browser configured to use it as a SOCKS proxy can then access HTTP, HTTPS, FTP, etc. over the same connection). And like with other proxy servers, it will use the traffic to determine the destination.
1
Thanks, muru! I wonder why is dynamic forwarding is called a proxy, while local forwarding isn't? By definition, is the ssh server, ssh client or both in local forwarding a proxy (server)? unix.stackexchange.com/a/234184/674
– Tim
Oct 7 '15 at 16:53
1
@Tim a proxy server understands what the protocol that it is proxying. With port forwarding, SSH makes no attempt to understand what protocol is coming its way, but with-D
, it has to, in order to understand where to send the data.
– muru
Oct 7 '15 at 16:58
Thanks. I searched in some textbooks of computer networks (e.g. Tanenbaum's) for definition for a proxy (server) as clear as yours, but wasn't satisfied. Do you have some books to recommend for learning concepts?
– Tim
Oct 7 '15 at 17:01
In dynamic port forwarding, which is the proxy server, the ssh client, ssh server or both?
– Tim
Oct 7 '15 at 17:03
@Tim Tanenbaum's was the only book I studied from. The rest comes from using things.
– muru
Oct 7 '15 at 17:03
|
show 1 more comment
Yes, you have to specify a destination IP and port when using local forwarding. From man ssh
:
-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be
forwarded to the given host and port on the remote side.
Clearly, only the bind address is optional.
No, you can't specify a destination host or port when using dynamic forwarding. In dynamic forwarding, SSH acts as a SOCKS proxy. Again from the manpage (emphasis mine):
-D [bind_address:]port
Specifies a local “dynamic” application-level port forwarding.
This works by allocating a socket to listen to port on the local
side, optionally bound to the specified bind_address. Whenever a
connection is made to this port, the connection is forwarded over
the secure channel, and the application protocol is then used to
determine where to connect to from the remote machine. Currently
the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
as a SOCKS server.
With -L
, SSH makes no attempt to understand the traffic. It just sends everything it receives on the local port to the target port - you determine the target port at the time the connection is made. With -D
, SSH acts as a proxy server, and therefore can handle connections from multiple ports (for example, a browser configured to use it as a SOCKS proxy can then access HTTP, HTTPS, FTP, etc. over the same connection). And like with other proxy servers, it will use the traffic to determine the destination.
Yes, you have to specify a destination IP and port when using local forwarding. From man ssh
:
-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be
forwarded to the given host and port on the remote side.
Clearly, only the bind address is optional.
No, you can't specify a destination host or port when using dynamic forwarding. In dynamic forwarding, SSH acts as a SOCKS proxy. Again from the manpage (emphasis mine):
-D [bind_address:]port
Specifies a local “dynamic” application-level port forwarding.
This works by allocating a socket to listen to port on the local
side, optionally bound to the specified bind_address. Whenever a
connection is made to this port, the connection is forwarded over
the secure channel, and the application protocol is then used to
determine where to connect to from the remote machine. Currently
the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
as a SOCKS server.
With -L
, SSH makes no attempt to understand the traffic. It just sends everything it receives on the local port to the target port - you determine the target port at the time the connection is made. With -D
, SSH acts as a proxy server, and therefore can handle connections from multiple ports (for example, a browser configured to use it as a SOCKS proxy can then access HTTP, HTTPS, FTP, etc. over the same connection). And like with other proxy servers, it will use the traffic to determine the destination.
answered Jul 1 '15 at 3:08
murumuru
36.5k589163
36.5k589163
1
Thanks, muru! I wonder why is dynamic forwarding is called a proxy, while local forwarding isn't? By definition, is the ssh server, ssh client or both in local forwarding a proxy (server)? unix.stackexchange.com/a/234184/674
– Tim
Oct 7 '15 at 16:53
1
@Tim a proxy server understands what the protocol that it is proxying. With port forwarding, SSH makes no attempt to understand what protocol is coming its way, but with-D
, it has to, in order to understand where to send the data.
– muru
Oct 7 '15 at 16:58
Thanks. I searched in some textbooks of computer networks (e.g. Tanenbaum's) for definition for a proxy (server) as clear as yours, but wasn't satisfied. Do you have some books to recommend for learning concepts?
– Tim
Oct 7 '15 at 17:01
In dynamic port forwarding, which is the proxy server, the ssh client, ssh server or both?
– Tim
Oct 7 '15 at 17:03
@Tim Tanenbaum's was the only book I studied from. The rest comes from using things.
– muru
Oct 7 '15 at 17:03
|
show 1 more comment
1
Thanks, muru! I wonder why is dynamic forwarding is called a proxy, while local forwarding isn't? By definition, is the ssh server, ssh client or both in local forwarding a proxy (server)? unix.stackexchange.com/a/234184/674
– Tim
Oct 7 '15 at 16:53
1
@Tim a proxy server understands what the protocol that it is proxying. With port forwarding, SSH makes no attempt to understand what protocol is coming its way, but with-D
, it has to, in order to understand where to send the data.
– muru
Oct 7 '15 at 16:58
Thanks. I searched in some textbooks of computer networks (e.g. Tanenbaum's) for definition for a proxy (server) as clear as yours, but wasn't satisfied. Do you have some books to recommend for learning concepts?
– Tim
Oct 7 '15 at 17:01
In dynamic port forwarding, which is the proxy server, the ssh client, ssh server or both?
– Tim
Oct 7 '15 at 17:03
@Tim Tanenbaum's was the only book I studied from. The rest comes from using things.
– muru
Oct 7 '15 at 17:03
1
1
Thanks, muru! I wonder why is dynamic forwarding is called a proxy, while local forwarding isn't? By definition, is the ssh server, ssh client or both in local forwarding a proxy (server)? unix.stackexchange.com/a/234184/674
– Tim
Oct 7 '15 at 16:53
Thanks, muru! I wonder why is dynamic forwarding is called a proxy, while local forwarding isn't? By definition, is the ssh server, ssh client or both in local forwarding a proxy (server)? unix.stackexchange.com/a/234184/674
– Tim
Oct 7 '15 at 16:53
1
1
@Tim a proxy server understands what the protocol that it is proxying. With port forwarding, SSH makes no attempt to understand what protocol is coming its way, but with
-D
, it has to, in order to understand where to send the data.– muru
Oct 7 '15 at 16:58
@Tim a proxy server understands what the protocol that it is proxying. With port forwarding, SSH makes no attempt to understand what protocol is coming its way, but with
-D
, it has to, in order to understand where to send the data.– muru
Oct 7 '15 at 16:58
Thanks. I searched in some textbooks of computer networks (e.g. Tanenbaum's) for definition for a proxy (server) as clear as yours, but wasn't satisfied. Do you have some books to recommend for learning concepts?
– Tim
Oct 7 '15 at 17:01
Thanks. I searched in some textbooks of computer networks (e.g. Tanenbaum's) for definition for a proxy (server) as clear as yours, but wasn't satisfied. Do you have some books to recommend for learning concepts?
– Tim
Oct 7 '15 at 17:01
In dynamic port forwarding, which is the proxy server, the ssh client, ssh server or both?
– Tim
Oct 7 '15 at 17:03
In dynamic port forwarding, which is the proxy server, the ssh client, ssh server or both?
– Tim
Oct 7 '15 at 17:03
@Tim Tanenbaum's was the only book I studied from. The rest comes from using things.
– muru
Oct 7 '15 at 17:03
@Tim Tanenbaum's was the only book I studied from. The rest comes from using things.
– muru
Oct 7 '15 at 17:03
|
show 1 more comment
Another way to learn this concept would be to take a look at how a client connects to amazon's elastic map reduce (EMR) cluster. EMR has a bunch of local apps that it exposes and these are normally accessed via SSH tunnels.
There are 2 options for a client:
A) Local port forward
SSH command:
ssh -i key.pem -L 8157:a.b.c.d:8088 hadoop@a.b.c.d
Here the client says for example, that 8157 on localhost gets forwarded to a.b.c.d:8088
The client has to make a request to the localhost:
http://localhost:8157
Other applications could be listening on ports such as 8089,8090, and the client has to make ssh connections for each one of these.
B) Dynamic port forward
Here a single SSH command is used:
ssh -i key.pem -D 8157 hadoop@a.b.c.d
Any traffic going in on port 8157 will be routed via the ssh tunnel. The destination of the traffic will be the URL's destination. For example, you can use a proxy-client on your webserver and redirect some http URI's to use the proxy. You can access all your applications on 8089,8090 via a single command.
For reference, see this doc:
https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-web-interfaces.html
add a comment |
Another way to learn this concept would be to take a look at how a client connects to amazon's elastic map reduce (EMR) cluster. EMR has a bunch of local apps that it exposes and these are normally accessed via SSH tunnels.
There are 2 options for a client:
A) Local port forward
SSH command:
ssh -i key.pem -L 8157:a.b.c.d:8088 hadoop@a.b.c.d
Here the client says for example, that 8157 on localhost gets forwarded to a.b.c.d:8088
The client has to make a request to the localhost:
http://localhost:8157
Other applications could be listening on ports such as 8089,8090, and the client has to make ssh connections for each one of these.
B) Dynamic port forward
Here a single SSH command is used:
ssh -i key.pem -D 8157 hadoop@a.b.c.d
Any traffic going in on port 8157 will be routed via the ssh tunnel. The destination of the traffic will be the URL's destination. For example, you can use a proxy-client on your webserver and redirect some http URI's to use the proxy. You can access all your applications on 8089,8090 via a single command.
For reference, see this doc:
https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-web-interfaces.html
add a comment |
Another way to learn this concept would be to take a look at how a client connects to amazon's elastic map reduce (EMR) cluster. EMR has a bunch of local apps that it exposes and these are normally accessed via SSH tunnels.
There are 2 options for a client:
A) Local port forward
SSH command:
ssh -i key.pem -L 8157:a.b.c.d:8088 hadoop@a.b.c.d
Here the client says for example, that 8157 on localhost gets forwarded to a.b.c.d:8088
The client has to make a request to the localhost:
http://localhost:8157
Other applications could be listening on ports such as 8089,8090, and the client has to make ssh connections for each one of these.
B) Dynamic port forward
Here a single SSH command is used:
ssh -i key.pem -D 8157 hadoop@a.b.c.d
Any traffic going in on port 8157 will be routed via the ssh tunnel. The destination of the traffic will be the URL's destination. For example, you can use a proxy-client on your webserver and redirect some http URI's to use the proxy. You can access all your applications on 8089,8090 via a single command.
For reference, see this doc:
https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-web-interfaces.html
Another way to learn this concept would be to take a look at how a client connects to amazon's elastic map reduce (EMR) cluster. EMR has a bunch of local apps that it exposes and these are normally accessed via SSH tunnels.
There are 2 options for a client:
A) Local port forward
SSH command:
ssh -i key.pem -L 8157:a.b.c.d:8088 hadoop@a.b.c.d
Here the client says for example, that 8157 on localhost gets forwarded to a.b.c.d:8088
The client has to make a request to the localhost:
http://localhost:8157
Other applications could be listening on ports such as 8089,8090, and the client has to make ssh connections for each one of these.
B) Dynamic port forward
Here a single SSH command is used:
ssh -i key.pem -D 8157 hadoop@a.b.c.d
Any traffic going in on port 8157 will be routed via the ssh tunnel. The destination of the traffic will be the URL's destination. For example, you can use a proxy-client on your webserver and redirect some http URI's to use the proxy. You can access all your applications on 8089,8090 via a single command.
For reference, see this doc:
https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-web-interfaces.html
answered Mar 4 at 16:09
M GaM Ga
1
1
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f213213%2fdifference-between-local-port-forwarding-and-dynamic-port-forwarding%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
superuser.com/questions/271616/…
– muru
Jul 1 '15 at 3:01