Understanding the Meaning of bind_address for SSH Port Forwarding

In general, an address binding is
an association between a service (e.g., SSH) and an IP address
. A host may have multiple IP addresses (e.g., 127.0.0.1, 192.168.1.2). Address binding allows you to run a service on some or all of these addresses.


Question:

In SSH local forwarding:

 -L [bind_address:]port:host:hostport
         Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side.  This works by
         allocating a socket to listen to port on the local side, optionally bound to the specified bind_address.  Whenever a connection is made to
         this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine.  Port
         forwardings can also be specified in the configuration file.  IPv6 addresses can be specified by enclosing the address in square brackets.
         Only the superuser can forward privileged ports.  By default, the local port is bound in accordance with the GatewayPorts setting.  However,
         an explicit bind_address may be used to bind the connection to a specific address.  The bind_address of “localhost” indicates that the listen‐
         ing port be bound for local use only, while an empty address or ‘*’ indicates that the port should be available from all interfaces.

What is the meaning of “all interfaces” in the context of an empty address or

*

? Does it refer to all the
network interfaces
belonging to the
local host
? This is applicable when the local host has multiple network interfaces and the port

port

can be utilized with all of them.

Does the phrase “for local use only” in the statement “The bind_address of

localhost

indicates that the listening port be bound for local use only” refer to a specific network interface on the local host?

Is it possible for

bind_address

to point to a network interface located on a host different from the one it is currently on?


Solution 1:

Broadly speaking, an IP address is paired with a particular service, such as SSH, through what is known as an address binding.

A single host can possess multiple addresses (for instance, 127.0.0.1 and 192.168.1.2), which can be utilized to run a service using some or all of them.

Assuming your host has two network interfaces, with one linked to a trusted network (192.168.1.0/24) and the other connected to an
untrusted network
(192.168.2.0/24), if you want SSH connections to be accepted from only the trusted network, you must bind the SSH service to the host’s address on the trusted network exclusively (for instance, 192.168.1.2).

By utilizing

localhost

as

bind_address

, access to the SSH service would be restricted to only those SSH clients that are operating on the local machine.


Solution 2:


Every interface, except for the special ones like

pflog0

, allows for connection. The packet filter log
interface). Local
uses the loopback interface, typically

lo0

, which should have the

::1

address assigned to it. The crucial difference is whether or not the port is accessible by remote systems; when using localhost, only local processes can connect.

While the
bind address
may not necessarily be a local address, it would trigger a

bind: Can't assign requested address

error and therefore would not have a meaningful purpose.

Frequently Asked Questions

Posted in Uncategorized