Keeping state of tcp connections
Rushan R. Shaymardanov
rush at clink.ru
Wed Aug 4 02:54:38 UTC 2010
Hello. I have a freebsd router with freebsd and pf.
In my pf.conf, I have block-by-default rule and after it, something like
this:
block all
pass in on $if_int from $net_int to any
pass out on $if_ext from $net_int to any
When there is, for example some idle ssh connection, pf stops tracking
it in its states table after some period of inactivity (I don't see it
in pfctl -ss). So, packets are blocked my default block rule and my
connection is closed by timeout.
When I rewrite my rule like this:
pass in on $if_int from $mynet to any flags any no state
pass out on $if_ext from $mynet to any flags any no state
pass in on $if_ext from any to $mynet flags any no state
pass out on $if_int from any to $mynet flags any no state
idle connections are not closing by timeout.
How can I make pf not to delete tcp state entries from state table by
timeout? Or maybe I should increase the value of timeout? It's not
convenient for me to use no state rules in pf.conf.
Sorry for my english.
Shaymardanov Rushan
More information about the freebsd-pf
mailing list