From owner-freebsd-pf@FreeBSD.ORG  Wed Aug  4 02:54:37 2010
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E83D41065672
	for <freebsd-pf@freebsd.org>; Wed,  4 Aug 2010 02:54:37 +0000 (UTC)
	(envelope-from rush@clink.ru)
Received: from hosting.clink.ru (hosting.clink.ru [194.165.18.3])
	by mx1.freebsd.org (Postfix) with ESMTP id 9C7ED8FC12
	for <freebsd-pf@freebsd.org>; Wed,  4 Aug 2010 02:54:37 +0000 (UTC)
Received: from [192.168.50.225] (unknown [192.168.50.225])
	by hosting.clink.ru (Postfix) with ESMTPA id C029311DE6
	for <freebsd-pf@freebsd.org>; Wed,  4 Aug 2010 08:34:51 +0600 (YEKST)
Message-ID: <4C58D456.5010701@clink.ru>
Date: Wed, 04 Aug 2010 08:45:42 +0600
From: "Rushan R. Shaymardanov" <rush@clink.ru>
User-Agent: Mozilla-Thunderbird 2.0.0.22 (X11/20090706)
MIME-Version: 1.0
To: freebsd-pf@freebsd.org
X-Enigmail-Version: 0.95.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Keeping state of tcp connections
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Aug 2010 02:54:38 -0000

Hello. I have a freebsd router with freebsd and pf.
In my pf.conf, I have block-by-default rule and after it, something like
this:

block all

pass in on $if_int from $net_int to any
pass out on $if_ext from $net_int to any

When there is, for example some idle ssh connection, pf stops tracking
it in its states table after some period of inactivity (I don't see it
in pfctl -ss). So, packets are blocked my default block rule and my
connection is closed by timeout.

When I rewrite my rule like this:

pass in on $if_int from $mynet to any flags any no state
pass out on $if_ext from $mynet to any flags any no state
pass in on $if_ext from any to $mynet flags any no state
pass out on $if_int from any to $mynet flags any no state

idle connections are not closing by timeout.

How can I make pf not to delete tcp state entries from state table by
timeout? Or maybe I should increase the value of timeout? It's not
convenient for me to use no state rules in pf.conf.

Sorry for my english.

Shaymardanov Rushan