The idea is the following:
I have a port open (P) on a remote machine (R) with a service application running which is listening on (P). I would like to connect from a client machine to the service application on the remote machine.
Possibility 1:
I leave the port open so I can connect directly from my client via the ip and the port to the service application on the remote machine.
Possibility 2:
I restrict the service application via firewall to localhost and forward (P) with an ssh tunnel to my client machine.
My own conclusion:
If I open the port of the service application across the internet, then I have to trust that it cannot be exploited for remote code execution on (R).
If I use an ssh tunnel, then I only have to trust that the listening ssh port cannot be exploited. The number of open ports is reduced and hence the attack surface (from my point of view). I would still be vulnerable if my client machine was compromised, but I'm accepting that risk anyway when using ssh.
Question:
So my question is, is my conclusion correct? Is it more secure to use an ssh tunnel and forward a port instead of exposing that port directly?