active pf states vs. active connections

[CSS]

Hello,

We've recently been seeing issues when creating a large number of outbound connections where the number of states kept by pf seriously outnumbers the number of actual connections as shown by netstat.  It's not terribly surprising - the kernel has different timeout values than the firewall.  However as I've been slowly moving the pf timeouts down (mainly on finwait entries), I'm not seeing the number of states really shrink.

For example, we might see about 200 connections in FIN_WAIT_2 in netstat, but over 20,000 tracked in pf, even with the tcp.finwait dropped down to 5s.

It's a problem I never really thought about before - how to address the inherent difference between the how aggressively the kernel ages old connections out vs. how aggressively pf times them out.

Before I hit the list with a bunch of stats, I just wanted to get a feel for whether I'm on the right track here - should I essentially be turning down pf timeouts to match kernel tcp timeout parameters?  If I should, why am I seeing so many lingering state entries?

This is FreeBSD 8.3.

Thanks,

Charles