Re: Port Forwarding over Unreliable Connections

From: Per Hedeland (per_at_hedeland.org)
Date: 11/22/05


Date: Tue, 22 Nov 2005 08:02:01 +0000 (UTC)

In article <m2psotzh31.fsf@euterpe.local> Gregory Novak
<novak@ucolick.org> writes:
>I make extensive use of ssh port forwarding to access machines behind
>firewalls, etc. I often run programs that require presistent
>connections over these ports (such as X11 programs). Unfortunately my
>home DSL connection has become unreliable lately, going down for a few
>minutes and then coming back. This often has the effect of killing
>the programs that rely on the forwarded connections.
>
>I would much prefer it if the forwarded connections behaved more like
>plain vanilla TCP connections--if the network goes down, they should
>patiently wait a long time before finally snipping the connection.
>
>Ideally, this would even include starting a new ssh process to handle
>the port forwarding. My understanding of ssh port forwarding is that
>ssh simply catches the TCP packets at one end, shoots them over the
>secure connection, and allows them to pop out at the other end.

Well, unfortunately your understanding is flawed - there are actually
two separate TCP connections when you do port forwarding, one from the
local program to ssh, and one from sshd to the remote program (in the
other direction for reverse or X11 forwarding of course). No way could
you replace the ssh/sshd in the middle without the local and remote
programs cooperating by establishing new connections, and no way can
this be "fixed" in ssh - you basically need "true" VPN capability for
that (which is possible but quite awkward to do on top of ssh port
forwarding).

There's no obvious reason the ssh<->sshd connection (including the
"embedded" port forwarding connections) couldn't survive "outage" like
"plain vanilla TCP connections" though, since that's exactly what it
is. There is various "keepalive" (or "killdead") functionality that may
cause problems wih this though - it's not there to cause problems, but
primarily to detect the case where the ssh client has "gone away"
permanently without closing the connection properly, since otherwise the
sshd and assocated programs on the server end could be left running
indefinitely. Search the ssh_config and sshd_config man pages for
"Alive" to learn more about this.

And of course any "keepalive" or similar periodic traffic from the
programs using the port forwarding will have a similar effect - a TCP
connection with pending data to send will not survive very long in most
current OSes in my experience.

--Per Hedeland
per@hedeland.org



Relevant Pages

  • Automatically forwarding from sshd server to an application on same box
    ... This client can be setup to use SSH; however, our application does not have kind of SSH encryption built into it at the moment and I'm really trying to avoid that. ... I have been playing around with Putty on a laptop and creating a port forwarding connection from the laptop to a linux box running sshd and our application. ...
    (comp.security.ssh)
  • Re: Using an IP from remote server on home computer
    ... > connection. ... > ports (does not require root access on remote server). ... > tried ssh port forwarding with a Windows ssh client like Putty. ...
    (comp.os.linux.networking)
  • Re: ssh port forwarding hangs when logout
    ... I am using ssh to connect to my ubuntu web server. ... connecting through ssh using port forwarding and then upon exit ssh ... If you are port forwarding and there is an active connection on the ...
    (Ubuntu)
  • Port Forwarding over Unreliable Connections
    ... I make extensive use of ssh port forwarding to access machines behind ... patiently wait a long time before finally snipping the connection. ...
    (comp.security.ssh)
  • Re: Free Port forwarding and tunnelling software for Linux
    ... ssh -D will handle dynamic port forwarding and tunneling ... to its intended recipient, you are hereby notified that any dissemination, ... distribution or copying of this communication is strictly prohibited. ...
    (RedHat)