[NCLUG] ssh timeout - More info...
Mark Fassler
fassler at monkeysoft.net
Fri Mar 2 13:44:16 MST 2001
The firewall route:
-------------------
To change the TCP timeout on the masquerading on your firewall:
ipchains -M -S 7200 120 300
This will set TCP timeout to 7200 seconds (2 hours) TCPFin timeout to 120
seconds (2 minutes) and udp timeout to 300 seconds (5 minutes).
I think the default is 900 120 300 (15 minutes, 2 minutes, 5 minutes)
For connections that spend a long time idle, you probably want the timeout
to be in the neighborhood of 2 hours (or slightly longer).
The Application route:
----------------------
If you want something to have an infinite idle time, you'll still need
keep-alives.
It turns out that KeepAlive is broken in OpenSSH 2.3. You'll probably
want to upgrade to 2.5.
The keep_alive time for the kernel is in
/proc/sys/net/ipv4/tcp_keepalive_time. This is set to 7200 seconds by
default (2 hours). So if you simply turn KeepAlive on without adjusting
anything, it still won't work.
2 options:
- you can make the TCP timeout on your firewall last longer than
two hours (as well as turning on KeepAlive in ssh)
- or you can make the tcp_keepalive_time on the client or server be
shorter (as well as turning on KeepAlive in ssh).
To set tcp_keepalive_time to be 5 minutes just do:
echo 300 >/proc/sys/net/ipv4/tcp_keepalive_time
(note that the kernel doesn't seem interested in making the keepalives be
any shorter than 90 seconds or so...)
--
Mark Fassler
fassler at monkeysoft.net
More information about the NCLUG
mailing list