Robert Dober
5/6/2007 8:03:00 AM
On 5/6/07, eden li <eden.li@gmail.com> wrote:
> Nice, looks like this would work. Just have to make sure that 4242 is
> firewalled or only bound to lo on the server side.
>
> As far as I can tell, all traffic is tunneled via SSH, so unless
> something is on your machine (or your server) sniffing your loopback
> device (or unless my understanding of how tunneling works), it should
> be totally protected.
Careful here, in our case everything is encrypted, but
if the port forwarding is forwarding a port from a different machine
that is not the case. Look at this command
ssh -fNL 4141:dbhost:mysqlport ruby@ssh-server
all traffic between the client and ssh-server is encrypted but the
forwarded traffic between ssh-server and dbhost is not.
I guess you are aware of that but not everybody is, nor was I before
warned by a colleague.
That still often is what you want especially if dbhost is in a DMZ, of course.
Robert
--
You see things; and you say Why?
But I dream things that never were; and I say Why not?
-- George Bernard Shaw