diff --git a/2006-01-23-ssh-tunnelling-101.html b/2006-01-23-ssh-tunnelling-101.html
new file mode 100644
index 0000000..d357eda
--- /dev/null
+++ b/2006-01-23-ssh-tunnelling-101.html
@@ -0,0 +1,53 @@
+<!--# set var="title" value="SSH Tunnelling 101" -->
+<!--# set var="date" value="January 23, 2006" -->
+
+<!--# include file="include/top.html" -->
+
+<h3>The Players</h3>
+
+<p>I’ll be referring to 3 hosts:</p>
+
+<ul>
+<li>A: The server; this machine is behind a firewall that allows outgoing connections but doesn’t allow incoming.</li>
+<li>B: The bounce host; this machine is unfirewalled.</li>
+<li>C: The client.</li>
+</ul>
+
+<h3>Configuring B</h3>
+
+<p>Some sshd configuration needs to be done on B before any of this will work. In the sshd_config file (/etc/ssh/sshd_config on Debian):</p>
+
+<pre><code>AllowTcpForwarding yes
+GatewayPorts yes
+</code></pre>
+
+<p>Remember to restart sshd after making changes (/etc/init.d/ssh restart).</p>
+
+<h3>Building the Tunnel</h3>
+
+<p>On A, run:</p>
+
+<pre><code>ssh -g -n -R &lt;port on B&gt;:127.0.0.1:&lt;port on A&gt; &lt;address of B&gt; sleep 999999
+</code></pre>
+
+<p>This will hang with no output; that’s the expected result.</p>
+
+<p>You should now be able to connect to the port on B and be talking to A. To get this to restart if the connection dies, run it inside:</p>
+
+<pre><code>while :; do &lt;command&gt;; done
+</code></pre>
+
+<p>As with all shell commands, put a “&amp;” on the end to run it in the background.</p>
+
+<h3>Tunnelling FTP</h3>
+
+<p>Due to a trick in the FTP protocol, you can use this tunnelling arrangement but have FTP data connections go directly from A to C, without touching B. This only works with so-called “active” FTP (using the PORT command instead of PASV). C must also be unfirewalled for this to work.</p>
+
+<p>The only thing you’ll need to change is the FTP server configuration. In proftpd.conf, add:</p>
+
+<pre><code>AllowForeignAddress on
+</code></pre>
+
+<p>For pure-ftpd, run it with the “-w” commandline flag, or with a file named “AllowUserFXP” and a contents of “on” if you’re using pure-ftpd-wrapper.</p>
+
+<!--# include file="include/bottom.html" -->
diff --git a/index.html b/index.html
index b03b676..189dc79 100644
--- a/index.html
+++ b/index.html
@@ -40,6 +40,7 @@
 <li>2009-Sep-11: <a href="2009-09-11-confusing-bind-with-cnames.html">Confusing BIND with CNAMEs</a></li>
 <li>2009-Feb-19: <a href="2019-02-19-the-odd-case-of-my-mugging.html">The odd case of my mugging</a></li>
 <li>2009-Feb-03: <a href="2009-02-03-5-packet-tcp-connection.html">5-packet TCP connection?</a></li>
+<li>2006-Jan-23: <a href="2006-01-23-ssh-tunnelling-101.html">SSH Tunnelling 101</a></li>
 <li>2006-Jan-23: <a href="2006-01-23-how-to-install-debian-sarge-on-an-ibm-blade.html">How to install Debian Sarge on an IBM Blade</a></li>
 <li>2006-Jan-22: <a href="2006-01-22-why-does-my-machine-think-its-name-is-localhost-even-though-i-changed-it.html">Why does my machine think its name is localhost...</a></li>
 <li>2006-Jan-22: <a href="2006-01-22-flashing-without-microsoft-or-floppy-drives.html">Flashing without Microsoft or floppy drives</a></li>
diff --git a/markdown/2006-01-23-ssh-tunnelling-101.md b/markdown/2006-01-23-ssh-tunnelling-101.md
new file mode 100644
index 0000000..c115e0b
--- /dev/null
+++ b/markdown/2006-01-23-ssh-tunnelling-101.md
@@ -0,0 +1,47 @@
+<!--# set var="title" value="SSH Tunnelling 101" -->
+<!--# set var="date" value="January 23, 2006" -->
+
+<!--# include file="include/top.html" -->
+
+### The Players
+
+I’ll be referring to 3 hosts:
+
+* A: The server; this machine is behind a firewall that allows outgoing connections but doesn’t allow incoming.
+* B: The bounce host; this machine is unfirewalled.
+* C: The client.
+
+### Configuring B
+
+Some sshd configuration needs to be done on B before any of this will work. In the sshd\_config file (/etc/ssh/sshd\_config on Debian):
+
+	AllowTcpForwarding yes
+	GatewayPorts yes
+
+Remember to restart sshd after making changes (/etc/init.d/ssh restart).
+
+### Building the Tunnel
+
+On A, run:
+
+	ssh -g -n -R <port on B>:127.0.0.1:<port on A> <address of B> sleep 999999
+
+This will hang with no output; that’s the expected result.
+
+You should now be able to connect to the port on B and be talking to A. To get this to restart if the connection dies, run it inside:
+
+	while :; do <command>; done
+
+As with all shell commands, put a “&” on the end to run it in the background.
+
+### Tunnelling FTP
+
+Due to a trick in the FTP protocol, you can use this tunnelling arrangement but have FTP data connections go directly from A to C, without touching B. This only works with so-called “active” FTP (using the PORT command instead of PASV). C must also be unfirewalled for this to work.
+
+The only thing you’ll need to change is the FTP server configuration. In proftpd.conf, add:
+
+	AllowForeignAddress on
+
+For pure-ftpd, run it with the “-w” commandline flag, or with a file named “AllowUserFXP” and a contents of “on” if you’re using pure-ftpd-wrapper.
+
+<!--# include file="include/bottom.html" -->
diff --git a/markdown/index.md b/markdown/index.md
index 6fef878..07af9ec 100644
--- a/markdown/index.md
+++ b/markdown/index.md
@@ -39,6 +39,7 @@
 1. 2009-Sep-11: [Confusing BIND with CNAMEs](2009-09-11-confusing-bind-with-cnames.html)
 1. 2009-Feb-19: [The odd case of my mugging](2019-02-19-the-odd-case-of-my-mugging.html)
 1. 2009-Feb-03: [5-packet TCP connection?](2009-02-03-5-packet-tcp-connection.html)
+1. 2006-Jan-23: [SSH Tunnelling 101](2006-01-23-ssh-tunnelling-101.html)
 1. 2006-Jan-23: [How to install Debian Sarge on an IBM Blade](2006-01-23-how-to-install-debian-sarge-on-an-ibm-blade.html)
 1. 2006-Jan-22: [Why does my machine think its name is localhost...](2006-01-22-why-does-my-machine-think-its-name-is-localhost-even-though-i-changed-it.html)
 1. 2006-Jan-22: [Flashing without Microsoft or floppy drives](2006-01-22-flashing-without-microsoft-or-floppy-drives.html)
