diff -uprk.orig openssh-3.6.1p1.orig/clientloop.c openssh-3.6.1p1/clientloop.c
--- openssh-3.6.1p1.orig/clientloop.c	2003-04-01 15:43:39 +0400
+++ openssh-3.6.1p1/clientloop.c	2003-04-11 19:50:52 +0400
@@ -319,8 +319,10 @@ client_check_window_change(void)
 
 static void
 client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
-    int *maxfdp, int *nallocp, int rekeying)
+    int *maxfdp, int *nallocp, int rekeying, int trans_inter)
 {
+	int select_return;
+
 	/* Add any selections by the channel mechanism. */
 	channel_prepare_select(readsetp, writesetp, maxfdp, nallocp, rekeying);
 
@@ -362,13 +364,38 @@ client_wait_until_can_do_something(fd_se
 	/*
 	 * Wait for something to happen.  This will suspend the process until
 	 * some selected descriptor can be read, written, or has some other
-	 * event pending. Note: if you want to implement SSH_MSG_IGNORE
-	 * messages to fool traffic analysis, this might be the place to do
-	 * it: just have a random timeout for the select, and send a random
-	 * SSH_MSG_IGNORE packet when the timeout expires.
+	 * event pending.
+	 *	Implemented timeout SSH_MSG_IGNORE packets to keep a minimum
+	 * frequency of traffic present on a connection.  This can be used to
+	 * prevent a firewall (ip_masq f.e.) from timing out and causing a new
+	 * port to be allocated which effectively kills the connection.
+	 *	To fool traffic analysis, the timeout on the SSH_MSG_IGNORE
+	 * packets set randomly instead of periodically.
 	 */
 
-	if (select((*maxfdp)+1, *readsetp, *writesetp, NULL, NULL) < 0) {
+	if( trans_inter > 0 ) {
+		struct timeval timeout;
+		timeout.tv_sec = trans_inter *
+		    (1 + (arc4random() / (double) UINT_MAX - 0.5));
+		timeout.tv_usec = 1000000 * (arc4random() / (double) UINT_MAX);
+		select_return = select((*maxfdp)+1, *readsetp, *writesetp,
+		    NULL, &timeout);
+		if( !select_return ) {
+			int len = 1 + (arc4random() & 63);
+			int data[len];
+			int i;
+
+			for (i = 0; i < len; ++i)
+				data[i] = arc4random();
+			packet_start(SSH_MSG_IGNORE);
+			packet_put_string((char *)data, sizeof(data));
+			packet_send();
+		}
+	} else
+		select_return = select((*maxfdp)+1, *readsetp, *writesetp,
+		    NULL, NULL);
+
+	if( select_return < 0 ) {
 		char buf[100];
 
 		/*
@@ -960,7 +987,7 @@ client_loop(int have_pty, int escape_cha
 		 */
 		max_fd2 = max_fd;
 		client_wait_until_can_do_something(&readset, &writeset,
-		    &max_fd2, &nalloc, rekeying);
+		    &max_fd2, &nalloc, rekeying, options.trans_inter);
 
 		if (quit_pending)
 			break;
diff -uprk.orig openssh-3.6.1p1.orig/readconf.c openssh-3.6.1p1/readconf.c
--- openssh-3.6.1p1.orig/readconf.c	2003-04-11 19:50:16 +0400
+++ openssh-3.6.1p1/readconf.c	2003-04-11 19:50:52 +0400
@@ -81,6 +81,7 @@ RCSID("$OpenBSD: readconf.c,v 1.104 2003
      RhostsRSAAuthentication yes
      StrictHostKeyChecking yes
      KeepAlives no
+     TransmitInterlude 0
      IdentityFile ~/.ssh/identity
      Port 22
      EscapeChar ~
@@ -107,7 +108,7 @@ typedef enum {
 	oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
 	oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
 	oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
-	oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts,
+	oCompressionLevel, oKeepAlives, oTransmitInterlude, oNumberOfPasswordPrompts,
 	oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, oSshVersion,
 	oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
 	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
@@ -179,6 +180,7 @@ static struct {
 	{ "compression", oCompression },
 	{ "compressionlevel", oCompressionLevel },
 	{ "keepalive", oKeepAlives },
+	{ "transmitinterlude", oTransmitInterlude },
 	{ "numberofpasswordprompts", oNumberOfPasswordPrompts },
 	{ "loglevel", oLogLevel },
 	{ "dynamicforward", oDynamicForward },
@@ -416,6 +418,10 @@ parse_flag:
 		intptr = &options->no_host_authentication_for_localhost;
 		goto parse_flag;
 
+	case oTransmitInterlude:
+		intptr = &options->trans_inter;
+		goto parse_int;
+
 	case oNumberOfPasswordPrompts:
 		intptr = &options->number_of_password_prompts;
 		goto parse_int;
@@ -772,6 +778,7 @@ initialize_options(Options * options)
 	options->strict_host_key_checking = -1;
 	options->compression = -1;
 	options->keepalives = -1;
+	options->trans_inter = -1;
 	options->compression_level = -1;
 	options->port = -1;
 	options->connection_attempts = -1;
@@ -861,6 +868,8 @@ fill_default_options(Options * options)
 		options->compression = 0;
 	if (options->keepalives == -1)
 		options->keepalives = 1;
+	if (options->trans_inter == -1)
+		options->trans_inter = 0;
 	if (options->compression_level == -1)
 		options->compression_level = 6;
 	if (options->port == -1)
diff -uprk.orig openssh-3.6.1p1.orig/readconf.h openssh-3.6.1p1/readconf.h
--- openssh-3.6.1p1.orig/readconf.h	2003-04-11 19:50:16 +0400
+++ openssh-3.6.1p1/readconf.h	2003-04-11 19:50:52 +0400
@@ -61,6 +61,7 @@ typedef struct {
 	int     compression_level;	/* Compression level 1 (fast) to 9
 					 * (best). */
 	int     keepalives;	/* Set SO_KEEPALIVE. */
+	int     trans_inter;	/* Guarantee transmit every n seconds. */
 	LogLevel log_level;	/* Level for logging. */
 
 	int     port;		/* Port to connect. */
diff -uprk.orig openssh-3.6.1p1.orig/ssh_config openssh-3.6.1p1/ssh_config
--- openssh-3.6.1p1.orig/ssh_config	2002-07-04 04:19:41 +0400
+++ openssh-3.6.1p1/ssh_config	2003-04-11 19:50:52 +0400
@@ -26,6 +26,7 @@
 #   BatchMode no
 #   CheckHostIP yes
 #   StrictHostKeyChecking ask
+#   TransmitInterlude 0
 #   IdentityFile ~/.ssh/identity
 #   IdentityFile ~/.ssh/id_rsa
 #   IdentityFile ~/.ssh/id_dsa
diff -uprk.orig openssh-3.6.1p1.orig/ssh_config.5 openssh-3.6.1p1/ssh_config.5
--- openssh-3.6.1p1.orig/ssh_config.5	2003-04-11 19:50:16 +0400
+++ openssh-3.6.1p1/ssh_config.5	2003-04-11 19:50:52 +0400
@@ -370,6 +370,22 @@ This is important in scripts, and many u
 .Pp
 To disable keepalives, the value should be set to
 .Dq no .
+.It Cm TransmitInterlude
+Specifies a maximum time to allow between transmitting packets,
+in seconds.  If this amount of time passes and the client has
+no data to send, it will send an ignore packet to the server.
+One example where this is useful is when using ssh from behind
+a Linux ip_masquerade firewall.  If packets aren't sent through
+such a firewall periodically, the firewall may forget about the
+connection.  Then when a packet finally is sent, the firewall
+will assign a new port, which will cause the remote server to
+disconnect the session.  This option defaults to
+.Dq 0 ,
+which means not sending periodic packets.  A setting of a few
+hundred seconds should be about right if this is needed.  You
+should probably try setting KeepAlive to
+.Dq yes
+in your conf files on both the server and the client first.
 .It Cm KerberosAuthentication
 Specifies whether Kerberos authentication will be used.
 The argument to this keyword must be