[ale] Robust Reverse Tunnels via SSH

[Bob Toxen]

One possibility is that IP Masquerading (NATing) is involved and after a
long period of inactivity, the Firewall drops the IP Masquerading
information.

Try adding the following line to /etc/rc.d/rc.local of your system
behind the Firewall:

  echo 180 > /proc/sys/net/ipv4/tcp_keepalive_time

Bob Toxen
bob at verysecurelinux.com               [Please use for email to me]

"Microsoft: Unsafe at any clock speed!"
   -- Bob Toxen 10/03/2002

On Wed, Aug 20, 2008 at 11:50:40AM -0400, Greg Freemyer wrote:
> All,
> 
> Does anyone know a recipe for "Robust Reverse Tunnels via SSH", or
> some other robust way to achieve reverse tunnels.
> 
> === background
> 
> I've seen a few posts about ssh agent forwarding, etc.  That assumes
> you have at least one way through the firewall.
> 
> I need to talk to a machine behind a firewall and I don't want to open
> up a port.  ssh with the -R option puts in place a reverse tunnel to a
> gateway server.  Exactly what I want to do.
> 
> I've tried to set it up this weekend.  It works, but it has not been
> very robust.
> 
> I've seen comments online saying you can add an entry to crontab to
> address that.  I've done that as well and I can see the new ssh
> sessions being initiated from the remote server on my gateway server,
> but when I try ssh to the gateway port, I get nothing more often than
> not.  (It has worked a few times, so I have the basic concepts right.)
> 
> Thanks
> Greg
> -- 
> Greg Freemyer
> Litigation Triage Solutions Specialist
> http://www.linkedin.com/in/gregfreemyer
> First 99 Days Litigation White Paper -
> http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf
> 
> The Norcross Group
> The Intersection of Evidence & Technology
> http://www.norcrossgroup.com
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale