> Hi, > > I found some new info... > > short description of problem : replaced SNAT-ing ipfilter (solaris) by an > SNAT-ing netfilter (linux) three days ago and since then people are > complaining that ssh-session that are left alone for a while tend to die. > MUST be a difference between ipfilter and netfilter. > I'm not sure what that would be, but here is something related from man ssh_config: KeepAlive Specifies whether the system should send TCP keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be properly noticed. of the machines will be properly noticed. This option only uses TCP keepalives (as opposed to using ssh level keepalives), so takes a long time to notice when the connection dies. As such, you prob ably want the ProtocolKeepAlives option as well. However, this means that connections will die if the route is down temporarily, and some people find it annoying. So there are a number of things that you can do with SSH itself. I would check into these for a solution. TBH I can't see what ipfilter would have done differently in this situation: it's not possible for a NAT device to track connections indefinitely -- maybe the timeout was just large enough that your users didn't notice before?
