Re: Port Forwarding over Unreliable Connections

From: Gregory Novak (novak_at_ucolick.org)
Date: 11/22/05 

Date: Tue, 22 Nov 2005 06:00:31 -0800

per@hedeland.org (Per Hedeland) writes:
> Well, unfortunately your understanding is flawed - there are actually
> two separate TCP connections when you do port forwarding, one from the
> local program to ssh, and one from sshd to the remote program (in the
> other direction for reverse or X11 forwarding of course). No way could
> you replace the ssh/sshd in the middle without the local and remote
> programs cooperating by establishing new connections, and no way can
> this be "fixed" in ssh - you basically need "true" VPN capability for
> that (which is possible but quite awkward to do on top of ssh port
> forwarding).

I see. That's too bad.

Regarding VPN, I've made several attempts to get it running, all of
which petered out because of the complexity of setting it up combined
with the lack of a clear (in my mind) benefit of doing so. Would VPN
solve this problem for me? That would be enough incentive for me to
get it running...

> There's no obvious reason the ssh<->sshd connection (including the
> "embedded" port forwarding connections) couldn't survive "outage" like
> "plain vanilla TCP connections" though, since that's exactly what it
> is.

Regarding Keepalive packets, I have them turned on for ssh connections
(for unrelated reasons). You think I would have better luck with this
by turning them off? This seems like a fragile situation: I have to
notice when the network goes out and then scrupulously avoid doing
anything that sends any traffic over the connection until the network
comes back. Am I correct in thinking this?

Thank you!
Greg

Relevant Pages

  • Re: Port Forwarding over Unreliable Connections
    ... >> two separate TCP connections when you do port forwarding, ... >> other direction for reverse or X11 forwarding of course). ... Would VPN ...
    (comp.security.ssh)
  • Re: X forwarding from another unix
    ... cookie from USSHD to UX. ... If not, then either chain together two SSH connections with X forwarding, ...
    (comp.security.ssh)
  • SSH not setting DISPLAY variable
    ... I'm having a rather strange problem with OpenSSH forwarding X11 ... On the second computer, "echo $DISPLAY" just gives a blank line, so ... connections - if I connect out from the not-working computer to somewhere ...
    (comp.security.ssh)
  • Re: SSH not setting DISPLAY variable
    ... > I'm having a rather strange problem with OpenSSH forwarding X11 ... > SSH and one of them works perfectly, but the other one does not. ... > On the second computer, "echo $DISPLAY" just gives a blank line, so ... > connections - if I connect out from the not-working computer to somewhere ...
    (comp.security.ssh)
  • Re: [Full-disclosure] Blocking Skype on ISP level
    ... > it blocks packets or connections. ... > capable of forwarding a few hundred megabits depending on the ... > usage of a software based IDP may not be the appropriate way. ...
    (Full-Disclosure)