Date: Wed, 04 Aug 2010 08:45:42 +0600 From: "Rushan R. Shaymardanov" <rush@clink.ru> To: freebsd-pf@freebsd.org Subject: Keeping state of tcp connections Message-ID: <4C58D456.5010701@clink.ru>
next in thread | raw e-mail | index | archive | help
Hello. I have a freebsd router with freebsd and pf. In my pf.conf, I have block-by-default rule and after it, something like this: block all pass in on $if_int from $net_int to any pass out on $if_ext from $net_int to any When there is, for example some idle ssh connection, pf stops tracking it in its states table after some period of inactivity (I don't see it in pfctl -ss). So, packets are blocked my default block rule and my connection is closed by timeout. When I rewrite my rule like this: pass in on $if_int from $mynet to any flags any no state pass out on $if_ext from $mynet to any flags any no state pass in on $if_ext from any to $mynet flags any no state pass out on $if_int from any to $mynet flags any no state idle connections are not closing by timeout. How can I make pf not to delete tcp state entries from state table by timeout? Or maybe I should increase the value of timeout? It's not convenient for me to use no state rules in pf.conf. Sorry for my english. Shaymardanov Rushan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C58D456.5010701>