benno helped me clean up the tcp forwarding section;

usr.bin/ssh/ssh.1

@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.401 2019/03/05 16:17:12 naddy Exp $
-.Dd $Mdocdate: March 5 2019 $
+.\" $OpenBSD: ssh.1,v 1.402 2019/03/16 19:14:21 jmc Exp $
+.Dd $Mdocdate: March 16 2019 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -1090,49 +1090,35 @@ Increase the verbosity
 when errors are being written to stderr.
 .El
 .Sh TCP FORWARDING
-Forwarding of arbitrary TCP connections over the secure channel can
-be specified either on the command line or in a configuration file.
+Forwarding of arbitrary TCP connections over a secure channel
+can be specified either on the command line or in a configuration file.
 One possible application of TCP forwarding is a secure connection to a
 mail server; another is going through firewalls.
 .Pp
-In the example below, we look at encrypting communication between
-an IRC client and server, even though the IRC server does not directly
-support encrypted communications.
+In the example below, we look at encrypting communication for an IRC client,
+even though the IRC server it connects to does not directly
+support encrypted communication.
 This works as follows:
 the user connects to the remote host using
 .Nm ,
-specifying a port to be used to forward connections
-to the remote server.
-After that it is possible to start the service which is to be encrypted
-on the client machine,
-connecting to the same local port,
+specifying the ports to be used to forward the connection.
+After that it is possible to start the program locally,
 and
 .Nm
-will encrypt and forward the connection.
+will encrypt and forward the connection to the remote server.
 .Pp
-The following example tunnels an IRC session from client machine
-.Dq 127.0.0.1
-(localhost)
-to remote server
-.Dq server.example.com :
-.Bd -literal -offset 4n
-$ ssh -f -L 1234:localhost:6667 server.example.com sleep 10
-$ irc -c '#users' -p 1234 pinky 127.0.0.1
-.Ed
-.Pp
-This tunnels a connection to IRC server
+The following example tunnels an IRC session from the client
+to an IRC server at
 .Dq server.example.com ,
 joining channel
 .Dq #users ,
 nickname
 .Dq pinky ,
-using port 1234.
-It doesn't matter which port is used,
-as long as it's greater than 1023
-(remember, only root can open sockets on privileged ports)
-and doesn't conflict with any ports already in use.
-The connection is forwarded to port 6667 on the remote server,
-since that's the standard port for IRC services.
+using the standard IRC port, 6667:
+.Bd -literal -offset 4n
+$ ssh -f -L 6667:localhost:6667 server.example.com sleep 10
+$ irc -c '#users' pinky IRC/127.0.0.1
+.Ed
 .Pp
 The
 .Fl f
@@ -1142,7 +1128,7 @@ and the remote command
 .Dq sleep 10
 is specified to allow an amount of time
 (10 seconds, in the example)
-to start the service which is to be tunnelled.
+to start the program which is going to use the tunnel.
 If no connections are made within the time specified,
 .Nm
 will exit.