Keeping state of tcp connections

Rushan R. Shaymardanov rush at clink.ru
Wed Aug 4 07:30:08 UTC 2010 

Daniel Hartmeier пишет:

> The default timeout for fully established TCP connections in pf is
> 24 hours:
>
>   # pfctl -st
>   tcp.established           86400s
>
> You can change this value in pf.conf with
>
>   set timeout { tcp.established 86400 }

# pfctl -st | grep tcp.established
tcp.established           86400s


>
> When you establish an SSH connection, you should see a state like
>
>   # pfctl -vvss | grep -A 3 ":22 "
>
>   sis0 tcp 213.3.30.1:22 <- 83.77.96.2:57802 ESTABLISHED:ESTABLISHED
>    [574539409 + 66576] wscale 0  [303632633 + 16656] wscale 3
>    age 00:04:03, expires in 23:57:10, 932:894 pkts, 73171:153576
bytes, rule 106
>
> The last part of the first line should read "ESTABLISHED:ESTABLISHED",
> otherwise the connection is not considered fully established by pf
> for some reason, and the 24 hour timeout is not applied.
>
> The "expires in" part on the third line should equal 24 hours minus
> the current idle time. If it reaches zero, the state will be removed.
> Any activity of the connection should reset it to 24 hours.

 # pfctl -vvss | grep -A 3 "192.168.50.225" | grep -A 3 "172.16.11.1:22"
all tcp 172.16.11.1:22 <- 192.168.50.225:49021       ESTABLISHED:ESTABLISHED
   [3592205748 + 333376] wscale 9  [2021010611 + 1049600] wscale 6
   age 00:20:15, expires in 04:13:48, 2107:4297 pkts, 125912:2371908
bytes, rule 293
   id: 4c46689c7daad5e7 creatorid: f74cdd39


I think, here's the problem. This connection - is that I using for
executing pfctl -ss, so "expires in" must be about 24 hrs like in your
example. But as you can see, the value is 4:13 here. When I execute
command again, I get another value:

gw ~ # pfctl -vvss | grep -A 3 "192.168.50.225" | grep -A 3 "172.16.11.1:22"
all tcp 172.16.11.1:22 <- 192.168.50.225:49021       ESTABLISHED:ESTABLISHED
   [3592206868 + 333376] wscale 9  [2021010803 + 1049600] wscale 6
   age 00:21:58, expires in 02:35:27, 2119:4305 pkts, 126728:2373444
bytes, rule 293
   id: 4c46689c7daad5e7 creatorid: f74cdd39

Every time I execute this command, the value changes from 1:xx to 4:xx.

>
> So, does your state vanish after less idle time?
Yes.
> Did you change the timeout in pf?
No
> Are you sure neither side (server or client) is sending a TCP FIN
> or RST (have you captured an entire connection with tcpdump)?
Yes, I sure
> Did you manually remove the state (reboot the pf machine, pfctl -Fa
> or pfctl -Fs, or such)?
No
>
> Daniel

Rushan

More information about the freebsd-pf mailing list