ssh reverse tunnels

Hi Camelot, thanks for the reply. Just to clarify my situation, since I didn't do a very good job of that, I have a computer that sits behind a firewall, that I don't manage, that I cannot ssh into, much less tunnel other services, because it sits behind a firewall. So I am, indeed, wanting to set up reverse tunnels so that the machine to which I ultimately want to connect establishes an ssh connection to the machine from which I want to connect.

It is a little unusual in that I don't have an intermediary ssh server to which connect with the reverse tunnels, and I don't quite have the launchd.plist working quite right yet to set up this unattended ssh connection from the "target" machine at a specified time of day on a specified day of the week.

Lest anyone else decide to weigh in here and play morals cop and question my trying to circumvent firewalls, blah blah blah, I used to use VPN until last month when I.T. team did something to break VPN for all dozen or so of us Mac users. I.T. is under no obligation to provide Mac support and they have upper management direction to not provide Mac support, only Windows support. So since they don't have to, they don't. Their solution, as with upper upper management's solution, is "Get a Dell." Plus, I don't think that they know how to, anyways, otherwise, they wouldn't have dorked up the VPN. And no, they won't open inbound port 22. They don't like all the script kiddie attacks on port 22. Meanwhile, I have a need to connect so I'm trying to get an acceptably secure way to do so, with PKA ssh 2 reverse tunneled via a launchd-controlled shell script.

Anyways, it is just very odd that, like I said in my initial post, with -R40548:localhost:548 on the firewalled machine, I can ⌘k afp://localhost:10548 and mount the machine behind the firewall as a share. And it is odd that with the -R45900:localhost:5900 on the firewalled machine, I can ⌘k vnc://localhost:5900 and control the screen of the computer behind the firewall. But with -R10445:cifsshare:445 on the firewalled machine, cifs://localhost:10445 is telling me to go pound sand. I probably ought to see if I can afp to another machine via reverse tunnel, to eliminate the possibility of the non-localhost specification in the -R switch.

Kinda had to leave my long-winded post prematurely, so I didn't get to say (but wanted to) that the GatewayPorts parameter in sshd_config would seem to be a viable explanation as to why the connection is not being set up. Whose sshd_config do you think I should change, the guy's behind the firewall or the guy's outside the firewall, to whom I am attempting to ⌘k cifs://localhost:40445?

Another frustrating wrinkle.
Both machines inside the firewall.
Desktop has GatewayPorts yes.
Laptop sets up ssh connection in usual way to desktop with "-L" not "-R," i.e.:

ssh - L40445:cifs-server:445:localhost jv@desktop

From laptop (remember, now also inside firewall), first check Finder ⌘k cifs://cifs-server (make sure that I can mount the share in the usual way -- i.e., that it is indeed available). Success.
Next, check Finder ⌘k cifs://cifs-server:445 (make sure I really am talking on the port that I think I'm talking on). Success.
Finally, try Finder ⌘k cifs://localhost:40445. Crash and freqin' burn. I think it's time to quit flogging this dead horse.

My next brilliant idea: as part of a launchd-controlled script to establish the ssh connection with reverse tunnels from the desktop inside the firewall to the laptop when outside the firewall, just prior to invoking the ssh –R command, I'm thinking that maybe one could first mount the cifs server with mount point somewhere within $HOME on the desktop, so that maybe it could be accessed by merely navigating to the mount point in the afp://localhost:40548 tunnel. Maybe... But I can't quite decrypt the man mount page in order to figure out how to syntax the command, though -- how would one properly syntax the mount command to mount a cifs file server and define the mount point location?