diff -ur openssh-5.1p1.original/servconf.c openssh-5.1p1/servconf.c
--- openssh-5.1p1.original/servconf.c	2009-01-06 16:20:50.000000000 +0100
+++ openssh-5.1p1/servconf.c	2009-01-06 16:40:45.000000000 +0100
@@ -127,6 +127,7 @@
 	options->authorized_keys_file2 = NULL;
 	options->num_accept_env = 0;
 	options->permit_tun = -1;
+	options->num_forward_permits = 0;
 	options->num_permitted_opens = -1;
 	options->adm_forced_command = NULL;
 	options->chroot_directory = NULL;
@@ -312,7 +313,7 @@
 	sGssKeyEx,
 	sAcceptEnv, sPermitTunnel,
 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
-	sUsePrivilegeSeparation, sAllowAgentForwarding,
+	sUsePrivilegeSeparation, sForwardPermit, sAllowAgentForwarding,
 	sDeprecated, sUnsupported
 } ServerOpCodes;
 
@@ -429,7 +430,8 @@
 	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
 	{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
 	{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
-	{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
+	{ "forwardpermit", sForwardPermit},
+       	{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
 	{ "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
  	{ "match", sMatch, SSHCFG_ALL },
 	{ "permitopen", sPermitOpen, SSHCFG_ALL },
@@ -1313,6 +1315,35 @@
 			*charptr = xstrdup(arg);
 		break;
 
+	case sForwardPermit:
+		{
+		char buf[256];
+		char sport[6];
+
+		while ((arg = strdelim(&cp)) && *arg != '\0') {
+			if (options->num_forward_permits >= MAX_FORWARD_PERMITS)
+				fatal("%s line %d: too many forward permits.",
+				    filename, linenum);
+
+			if (sscanf(arg, "%255[^:]:%5[0123456789]",
+			    buf, sport) != 2 &&
+			    sscanf(arg, "%255[^/]/%5[0123456789]",
+			    buf, sport) != 2) {
+				    fatal("%s line %d: Bad forwarding restriction specification '%s'\n",
+				          filename, linenum, arg);
+			}
+			if ((options->forward_permit_ports[options->num_forward_permits]
+			       = a2port(sport)) == 0) {
+				fatal("%s line %d: Bad forwarding port(s) '%s'\n",
+				      filename, linenum, arg);
+				exit(1);
+			}
+			options->forward_permit_addr[options->num_forward_permits++] =
+			    xstrdup(buf);
+		}
+		}
+		break;
+
 	case sDeprecated:
 		logit("%s line %d: Deprecated option %s",
 		    filename, linenum, arg);
diff -ur openssh-5.1p1.original/servconf.h openssh-5.1p1/servconf.h
--- openssh-5.1p1.original/servconf.h	2009-01-06 16:20:50.000000000 +0100
+++ openssh-5.1p1/servconf.h	2009-01-06 16:42:42.000000000 +0100
@@ -25,6 +25,7 @@
 #define MAX_SUBSYSTEMS		256	/* Max # subsystems. */
 #define MAX_HOSTKEYS		256	/* Max # hostkeys. */
 #define MAX_ACCEPT_ENV		256	/* Max # of env vars. */
+#define MAX_FORWARD_PERMITS	256     /* Max # of forward permits */
 #define MAX_MATCH_GROUPS	256	/* Max # of groups for Match. */
 
 /* permit_root_login */
@@ -149,6 +150,10 @@
 
 	int	permit_tun;
 
+	u_int   num_forward_permits;
+	u_short forward_permit_ports[MAX_FORWARD_PERMITS];
+	char   *forward_permit_addr[MAX_FORWARD_PERMITS];
+
 	int	num_permitted_opens;
 
 	char   *chroot_directory;
diff -ur openssh-5.1p1.original/session.c openssh-5.1p1/session.c
--- openssh-5.1p1.original/session.c	2008-06-16 15:29:18.000000000 +0200
+++ openssh-5.1p1/session.c	2009-01-06 16:44:19.000000000 +0100
@@ -261,8 +261,17 @@
 	setproctitle("%s", authctxt->pw->pw_name);
 
 	/* setup the channel layer */
-	if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
-		channel_permit_all_opens();
+	if (!no_port_forwarding_flag && options.allow_tcp_forwarding) {
+		if(!options.num_forward_permits)
+			channel_permit_all_opens();
+		else {
+			int i;
+
+			for(i=0; i<options.num_forward_permits; i++)
+				channel_add_permitted_opens(options.forward_permit_addr[i],
+							    options.forward_permit_ports[i]);
+		}
+	}
 
 	if (compat20)
 		do_authenticated2(authctxt);