From owner-freebsd-pf@FreeBSD.ORG Wed Aug 4 07:30:08 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A1A71106566C for ; Wed, 4 Aug 2010 07:30:08 +0000 (UTC) (envelope-from rush@clink.ru) Received: from hosting.clink.ru (hosting.clink.ru [194.165.18.3]) by mx1.freebsd.org (Postfix) with ESMTP id 5041B8FC18 for ; Wed, 4 Aug 2010 07:30:08 +0000 (UTC) Received: from [192.168.50.225] (unknown [192.168.50.225]) by hosting.clink.ru (Postfix) with ESMTPA id AEE4D11DE6; Wed, 4 Aug 2010 13:30:05 +0600 (YEKST) Message-ID: <4C59198A.1060206@clink.ru> Date: Wed, 04 Aug 2010 13:40:58 +0600 From: "Rushan R. Shaymardanov" User-Agent: Mozilla-Thunderbird 2.0.0.22 (X11/20090706) MIME-Version: 1.0 To: Daniel Hartmeier References: <4C58D456.5010701@clink.ru> <20100804062907.GA3834@insomnia.benzedrine.cx> In-Reply-To: <20100804062907.GA3834@insomnia.benzedrine.cx> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: Keeping state of tcp connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Aug 2010 07:30:08 -0000 Daniel Hartmeier пишет: > The default timeout for fully established TCP connections in pf is > 24 hours: > > # pfctl -st > tcp.established 86400s > > You can change this value in pf.conf with > > set timeout { tcp.established 86400 } # pfctl -st | grep tcp.established tcp.established 86400s > > When you establish an SSH connection, you should see a state like > > # pfctl -vvss | grep -A 3 ":22 " > > sis0 tcp 213.3.30.1:22 <- 83.77.96.2:57802 ESTABLISHED:ESTABLISHED > [574539409 + 66576] wscale 0 [303632633 + 16656] wscale 3 > age 00:04:03, expires in 23:57:10, 932:894 pkts, 73171:153576 bytes, rule 106 > > The last part of the first line should read "ESTABLISHED:ESTABLISHED", > otherwise the connection is not considered fully established by pf > for some reason, and the 24 hour timeout is not applied. > > The "expires in" part on the third line should equal 24 hours minus > the current idle time. If it reaches zero, the state will be removed. > Any activity of the connection should reset it to 24 hours. # pfctl -vvss | grep -A 3 "192.168.50.225" | grep -A 3 "172.16.11.1:22" all tcp 172.16.11.1:22 <- 192.168.50.225:49021 ESTABLISHED:ESTABLISHED [3592205748 + 333376] wscale 9 [2021010611 + 1049600] wscale 6 age 00:20:15, expires in 04:13:48, 2107:4297 pkts, 125912:2371908 bytes, rule 293 id: 4c46689c7daad5e7 creatorid: f74cdd39 I think, here's the problem. This connection - is that I using for executing pfctl -ss, so "expires in" must be about 24 hrs like in your example. But as you can see, the value is 4:13 here. When I execute command again, I get another value: gw ~ # pfctl -vvss | grep -A 3 "192.168.50.225" | grep -A 3 "172.16.11.1:22" all tcp 172.16.11.1:22 <- 192.168.50.225:49021 ESTABLISHED:ESTABLISHED [3592206868 + 333376] wscale 9 [2021010803 + 1049600] wscale 6 age 00:21:58, expires in 02:35:27, 2119:4305 pkts, 126728:2373444 bytes, rule 293 id: 4c46689c7daad5e7 creatorid: f74cdd39 Every time I execute this command, the value changes from 1:xx to 4:xx. > > So, does your state vanish after less idle time? Yes. > Did you change the timeout in pf? No > Are you sure neither side (server or client) is sending a TCP FIN > or RST (have you captured an entire connection with tcpdump)? Yes, I sure > Did you manually remove the state (reboot the pf machine, pfctl -Fa > or pfctl -Fs, or such)? No > > Daniel Rushan