Tunneling through unfriendly firewalls

I just posted a description of some tunneling I'm doing in this thread. I'm basically getting port 80 traffic through an encrypted tunnel so I can use a web server that's behind a firewall. The problem is, all port 80 traffic on the web server side of the firewall is not encrypted. I tried being clever:

ssh -L 2345:firewall:3456 bforbes@firewall
ssh -L 3456:webserver:80 bforbes@webserver

But I think the firewall has some restrictions on users creating listening ports, because I get this:

      channel 3: open failed: connect failed: Connection refused

whenever I try to forward packets through my port 2345.

Is there another way to achieve this? Surely if I have an encrypted tunnel all the way through to the webserver, there is someway to send port 80 traffic through it, regardless of the firewall's restrictions?

I've just worked out a pretty good technique:

"home" terminal 1:
ssh -L 3456:webserver:22 bforbes@firewall

"home" terminal 2:
ssh -p 3456 -L 2345:localhost:80 bforbes@localhost

And then I just browse to "localhost:2345" to access the web site. It's encrypted the whole way through, I'm fairly sure.

The only problem is that you have to delete the key for "home" from known_hosts, since the second ssh command above thinks it's connecting to "home", when in fact it's connecting to "webserver". Any ideas on how to prevent this from happening? It's not a big deal, but some people might be concerned about deleting keys from known_hosts.

The known_hosts problem can be eliminated with the option
    -o NoHostAuthenticationForLocalhost=yes

If you have a full implementation of SSH on said web server, just use:

ssh -D 3128 username@webserver

Then set your browser to use the SOCKS proxy built into the SSH server.  That is, go to your proxy settings for your browser, and under SOCKS proxy, put localhost:3128 (or whatever port you chose when you connected).  You can then surf *any* site from the web server itself by simply typing the name.  If you want to see something on the local server that you are ssh'ed into, you use http://localhost/.

Note that the SOCKS proxy can be used for many fun things other than browsing... like tunneling IM, avoiding content filters and other corporate / restrictive appliances, tunneled ftp & irc, etcetera.  Note that your connection is encrypted to the head end, then it's up to the specific protocol to protect you.  In other terms, you're encrypted all the way to the SSH server, but if you use a clear text protocol such as HTTP it will be clear text beyond the SSH server (obviously).

We use this feature for exposing only an SSH gateway to the bad nasty outside (which is actually inside our network), then we tunnel everything through SSH to access things behind our firewall.  Note that this feature isn't available in all implementations of SSH, such as Cisco's SSH server on their firewalls.  Most full implementations of SSH should have it though.

bforbes wrote:

The known_hosts problem can be eliminated with the option
    -o NoHostAuthenticationForLocalhost=yes