Date: Wed, 4 Aug 2010 08:29:07 +0200 From: Daniel Hartmeier <daniel@benzedrine.cx> To: "Rushan R. Shaymardanov" <rush@clink.ru> Cc: freebsd-pf@freebsd.org Subject: Re: Keeping state of tcp connections Message-ID: <20100804062907.GA3834@insomnia.benzedrine.cx> In-Reply-To: <4C58D456.5010701@clink.ru> References: <4C58D456.5010701@clink.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Aug 04, 2010 at 08:45:42AM +0600, Rushan R. Shaymardanov wrote:
> When there is, for example some idle ssh connection, pf stops tracking
> it in its states table after some period of inactivity (I don't see it
> in pfctl -ss). So, packets are blocked my default block rule and my
> connection is closed by timeout.
The default timeout for fully established TCP connections in pf is
24 hours:
# pfctl -st
tcp.established 86400s
You can change this value in pf.conf with
set timeout { tcp.established 86400 }
When you establish an SSH connection, you should see a state like
# pfctl -vvss | grep -A 3 ":22 "
sis0 tcp 213.3.30.1:22 <- 83.77.96.2:57802 ESTABLISHED:ESTABLISHED
[574539409 + 66576] wscale 0 [303632633 + 16656] wscale 3
age 00:04:03, expires in 23:57:10, 932:894 pkts, 73171:153576 bytes, rule 106
The last part of the first line should read "ESTABLISHED:ESTABLISHED",
otherwise the connection is not considered fully established by pf
for some reason, and the 24 hour timeout is not applied.
The "expires in" part on the third line should equal 24 hours minus
the current idle time. If it reaches zero, the state will be removed.
Any activity of the connection should reset it to 24 hours.
So, does your state vanish after less idle time?
Did you change the timeout in pf?
Are you sure neither side (server or client) is sending a TCP FIN
or RST (have you captured an entire connection with tcpdump)?
Did you manually remove the state (reboot the pf machine, pfctl -Fa
or pfctl -Fs, or such)?
Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100804062907.GA3834>