Re: Port Forwarding over Unreliable Connections

From: Per Hedeland (
Date: 11/22/05

Date: Tue, 22 Nov 2005 08:02:01 +0000 (UTC)

In article <m2psotzh31.fsf@euterpe.local> Gregory Novak
<> writes:
>I make extensive use of ssh port forwarding to access machines behind
>firewalls, etc. I often run programs that require presistent
>connections over these ports (such as X11 programs). Unfortunately my
>home DSL connection has become unreliable lately, going down for a few
>minutes and then coming back. This often has the effect of killing
>the programs that rely on the forwarded connections.
>I would much prefer it if the forwarded connections behaved more like
>plain vanilla TCP connections--if the network goes down, they should
>patiently wait a long time before finally snipping the connection.
>Ideally, this would even include starting a new ssh process to handle
>the port forwarding. My understanding of ssh port forwarding is that
>ssh simply catches the TCP packets at one end, shoots them over the
>secure connection, and allows them to pop out at the other end.

Well, unfortunately your understanding is flawed - there are actually
two separate TCP connections when you do port forwarding, one from the
local program to ssh, and one from sshd to the remote program (in the
other direction for reverse or X11 forwarding of course). No way could
you replace the ssh/sshd in the middle without the local and remote
programs cooperating by establishing new connections, and no way can
this be "fixed" in ssh - you basically need "true" VPN capability for
that (which is possible but quite awkward to do on top of ssh port

There's no obvious reason the ssh<->sshd connection (including the
"embedded" port forwarding connections) couldn't survive "outage" like
"plain vanilla TCP connections" though, since that's exactly what it
is. There is various "keepalive" (or "killdead") functionality that may
cause problems wih this though - it's not there to cause problems, but
primarily to detect the case where the ssh client has "gone away"
permanently without closing the connection properly, since otherwise the
sshd and assocated programs on the server end could be left running
indefinitely. Search the ssh_config and sshd_config man pages for
"Alive" to learn more about this.

And of course any "keepalive" or similar periodic traffic from the
programs using the port forwarding will have a similar effect - a TCP
connection with pending data to send will not survive very long in most
current OSes in my experience.

--Per Hedeland