It always gave me a headache when I tried to figure out the command line syntax of ssh for port forwarding and I ended up staring at the man page for several minutes and making drawings on a piece of paper. So I’ve put together three illustrations for the three possible port forwarding methodologies. The green arrow means that the traffic is encrypted and the red that it’s not encrypted (or at least not by ssh, you can tunnel encrypted traffic like RDP over ssh). The arrows show the direction for initiating the traffic, after that the traffic can flow both ways. The ssh command is always issued on the machine marked with ssh and the ssh daemon runs on the machine marked with sshd. Click on the images to see a larger version of them.