Hi,
I'm seeing a discrepancy between pf.conf(5) timeout options and actual
behavior. I have an internal host that initiates a connection outbound
through the firewall with a "keep state" rule. After the remote host
sends a FIN and the local host ACKs it, the state table entry starts a
45 second countdown and then is purged. The local host has not sent a
FIN yet, so the state shows as "FIN_WAIT_2:ESTABLISHED". I have not
modified the default timers in my ruleset. The only 45s timer is
tcp.finwait, but I wouldn't expect that to be used until after the
local host sent it's FIN. Shouldn't the tcp.closing timer (90s) be used
instead, or am I interpreting this wrong? I'm running OpenBSD 3.7.
[from pf.conf(5)]
tcp.closing
The state after the first FIN has been sent.
tcp.finwait
The state after both FINs have been exchanged and the connec-
tion is closed. Some hosts (notably web servers on Solaris)
send TCP packets even after closing the connection. Increas-
ing tcp.finwait (and possibly tcp.closing) can prevent block-
ing of such packets.
# pfctl -st
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
tcp.tsdiff 30s
-Ryan
