From owner-freebsd-pf@FreeBSD.ORG Wed Aug 4 06:30:01 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 348871065675 for ; Wed, 4 Aug 2010 06:30:01 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id A5A888FC1D for ; Wed, 4 Aug 2010 06:30:00 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id o746T8Lr001030 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Wed, 4 Aug 2010 08:29:08 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id o746T7Nr031927; Wed, 4 Aug 2010 08:29:07 +0200 (MEST) Date: Wed, 4 Aug 2010 08:29:07 +0200 From: Daniel Hartmeier To: "Rushan R. Shaymardanov" Message-ID: <20100804062907.GA3834@insomnia.benzedrine.cx> References: <4C58D456.5010701@clink.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4C58D456.5010701@clink.ru> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: Keeping state of tcp connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Aug 2010 06:30:01 -0000 On Wed, Aug 04, 2010 at 08:45:42AM +0600, Rushan R. Shaymardanov wrote: > When there is, for example some idle ssh connection, pf stops tracking > it in its states table after some period of inactivity (I don't see it > in pfctl -ss). So, packets are blocked my default block rule and my > connection is closed by timeout. The default timeout for fully established TCP connections in pf is 24 hours: # pfctl -st tcp.established 86400s You can change this value in pf.conf with set timeout { tcp.established 86400 } When you establish an SSH connection, you should see a state like # pfctl -vvss | grep -A 3 ":22 " sis0 tcp 213.3.30.1:22 <- 83.77.96.2:57802 ESTABLISHED:ESTABLISHED [574539409 + 66576] wscale 0 [303632633 + 16656] wscale 3 age 00:04:03, expires in 23:57:10, 932:894 pkts, 73171:153576 bytes, rule 106 The last part of the first line should read "ESTABLISHED:ESTABLISHED", otherwise the connection is not considered fully established by pf for some reason, and the 24 hour timeout is not applied. The "expires in" part on the third line should equal 24 hours minus the current idle time. If it reaches zero, the state will be removed. Any activity of the connection should reset it to 24 hours. So, does your state vanish after less idle time? Did you change the timeout in pf? Are you sure neither side (server or client) is sending a TCP FIN or RST (have you captured an entire connection with tcpdump)? Did you manually remove the state (reboot the pf machine, pfctl -Fa or pfctl -Fs, or such)? Daniel