In general, an address binding is
an association between a service (e.g., SSH) and an IP address
. A host may have multiple IP addresses (e.g., 127.0.0.1, 192.168.1.2). Address binding allows you to run a service on some or all of these addresses.
In SSH local forwarding:
Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by
allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to
this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine. Port
forwardings can also be specified in the configuration file. IPv6 addresses can be specified by enclosing the address in square brackets.
Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting. However,
an explicit bind_address may be used to bind the connection to a specific address. The bind_address of “localhost” indicates that the listen‐
ing port be bound for local use only, while an empty address or ‘*’ indicates that the port should be available from all interfaces.
What is the meaning of “all interfaces” in the context of an empty address or
? Does it refer to all the
belonging to the
? This is applicable when the local host has multiple network interfaces and the port
can be utilized with all of them.
Does the phrase “for local use only” in the statement “The bind_address of
indicates that the listening port be bound for local use only” refer to a specific network interface on the local host?
Is it possible for
to point to a network interface located on a host different from the one it is currently on?
Broadly speaking, an IP address is paired with a particular service, such as SSH, through what is known as an address binding.
A single host can possess multiple addresses (for instance, 127.0.0.1 and 192.168.1.2), which can be utilized to run a service using some or all of them.
Assuming your host has two network interfaces, with one linked to a trusted network (192.168.1.0/24) and the other connected to an
(192.168.2.0/24), if you want SSH connections to be accepted from only the trusted network, you must bind the SSH service to the host’s address on the trusted network exclusively (for instance, 192.168.1.2).
, access to the SSH service would be restricted to only those SSH clients that are operating on the local machine.
Every interface, except for the special ones like
, allows for connection. The packet filter log
uses the loopback interface, typically
, which should have the
address assigned to it. The crucial difference is whether or not the port is accessible by remote systems; when using localhost, only local processes can connect.
may not necessarily be a local address, it would trigger a
bind: Can't assign requested address
error and therefore would not have a meaningful purpose.