Date: Wed, 04 Aug 2010 13:40:58 +0600 From: "Rushan R. Shaymardanov" <rush@clink.ru> To: Daniel Hartmeier <daniel@benzedrine.cx> Cc: freebsd-pf@freebsd.org Subject: Re: Keeping state of tcp connections Message-ID: <4C59198A.1060206@clink.ru> In-Reply-To: <20100804062907.GA3834@insomnia.benzedrine.cx> References: <4C58D456.5010701@clink.ru> <20100804062907.GA3834@insomnia.benzedrine.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
Daniel Hartmeier пишет:
> The default timeout for fully established TCP connections in pf is
> 24 hours:
>
> # pfctl -st
> tcp.established 86400s
>
> You can change this value in pf.conf with
>
> set timeout { tcp.established 86400 }
# pfctl -st | grep tcp.established
tcp.established 86400s
>
> When you establish an SSH connection, you should see a state like
>
> # pfctl -vvss | grep -A 3 ":22 "
>
> sis0 tcp 213.3.30.1:22 <- 83.77.96.2:57802 ESTABLISHED:ESTABLISHED
> [574539409 + 66576] wscale 0 [303632633 + 16656] wscale 3
> age 00:04:03, expires in 23:57:10, 932:894 pkts, 73171:153576
bytes, rule 106
>
> The last part of the first line should read "ESTABLISHED:ESTABLISHED",
> otherwise the connection is not considered fully established by pf
> for some reason, and the 24 hour timeout is not applied.
>
> The "expires in" part on the third line should equal 24 hours minus
> the current idle time. If it reaches zero, the state will be removed.
> Any activity of the connection should reset it to 24 hours.
# pfctl -vvss | grep -A 3 "192.168.50.225" | grep -A 3 "172.16.11.1:22"
all tcp 172.16.11.1:22 <- 192.168.50.225:49021 ESTABLISHED:ESTABLISHED
[3592205748 + 333376] wscale 9 [2021010611 + 1049600] wscale 6
age 00:20:15, expires in 04:13:48, 2107:4297 pkts, 125912:2371908
bytes, rule 293
id: 4c46689c7daad5e7 creatorid: f74cdd39
I think, here's the problem. This connection - is that I using for
executing pfctl -ss, so "expires in" must be about 24 hrs like in your
example. But as you can see, the value is 4:13 here. When I execute
command again, I get another value:
gw ~ # pfctl -vvss | grep -A 3 "192.168.50.225" | grep -A 3 "172.16.11.1:22"
all tcp 172.16.11.1:22 <- 192.168.50.225:49021 ESTABLISHED:ESTABLISHED
[3592206868 + 333376] wscale 9 [2021010803 + 1049600] wscale 6
age 00:21:58, expires in 02:35:27, 2119:4305 pkts, 126728:2373444
bytes, rule 293
id: 4c46689c7daad5e7 creatorid: f74cdd39
Every time I execute this command, the value changes from 1:xx to 4:xx.
>
> So, does your state vanish after less idle time?
Yes.
> Did you change the timeout in pf?
No
> Are you sure neither side (server or client) is sending a TCP FIN
> or RST (have you captured an entire connection with tcpdump)?
Yes, I sure
> Did you manually remove the state (reboot the pf machine, pfctl -Fa
> or pfctl -Fs, or such)?
No
>
> Daniel
Rushan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C59198A.1060206>