On (2003/08/28 09:40), Guido van Rooij wrote: > > > man sshd_config(5)? > > > > > > KeepAlive > > > Specifies whether the system should send TCP keepalive messages > > > > This doesn't help with a stateful firewall, because KeepAlives happen > > out-of-band. Read the manpage yourself. :-) > > What do you mean with out-of-band? It uses the same tcp connection > and thus, w.r.t the ipf package, happens inbound.
What, KeepAlive? Are you sure? I have all my ipf-protected hosts use this configuration: KeepAlive no ClientAliveInterval 30 ClientAliveCountMax 120 I've been doing this since about 2 years ago, because "KeepAlive yes" on its own was guaranteed to hang my sessions. I based this configuration on the following documentation in the sshd_config manpage: ClientAliveInterval Sets a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. ... ClientAliveCountMax ... It is important to note that the use of client alive messages is very different from KeepAlive (below). The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option enabled by KeepAlive is spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become inac-tive. Ciao, Sheldon.
