Re: [pfSense Support] NAT Reflection States
On Tue, Nov 18, 2008 at 6:32 PM, Dimitri Rodis [EMAIL PROTECTED] wrote: How long will pfSense hold onto the states required to maintain a tcp connection/udp session, and can this be changed? It seems like connections on my network that are utilizing NAT reflection are timing out extremely fast (like 20 seconds or less). The firewall optimization is set to conservative. This is only a guess, but it's the only thing that I can think of that makes sense based on the behavior I'm experiencing. (RDP sessions timing out and constantly reconnecting, and uploading changes to websites via sharepoint server extensions are all timing out, long transfers between mail servers as well). From /etfc/inc/filter.inc: if($config['system']['reflectiontimeout']) $reflectiontimeout = $config['system']['reflectiontimeout']; else $reflectiontimeout = 2000; You can set an override with systemreflectiontimeout Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] NAT Reflection States
go to 'systems' , 'advanced functions', and check out: Firewall Optimization Options. you can change the timing there. i'm not sure as to the exact timing. i believe this has to do with freebsd's implementation of tcp/ip?? -phil On Nov 18, 2008, at 5:32 PM, Dimitri Rodis wrote: How long will pfSense hold onto the states required to maintain a tcp connection/udp session, and can this be changed? It seems like connections on my network that are utilizing NAT reflection are timing out extremely fast (like 20 seconds or less). The firewall optimization is set to conservative. This is only a guess, but it's the only thing that I can think of that makes sense based on the behavior I'm experiencing. (RDP sessions timing out and constantly reconnecting, and uploading changes to websites via sharepoint server extensions are all timing out, long transfers between mail servers as well). Dimitri Rodis Integrita Systems LLC
Re: [pfSense Support] NAT Reflection States
ahh, i see now. On Nov 18, 2008, at 5:35 PM, Scott Ullrich wrote: On Tue, Nov 18, 2008 at 6:32 PM, Dimitri Rodis [EMAIL PROTECTED] wrote: How long will pfSense hold onto the states required to maintain a tcp connection/udp session, and can this be changed? It seems like connections on my network that are utilizing NAT reflection are timing out extremely fast (like 20 seconds or less). The firewall optimization is set to conservative. This is only a guess, but it's the only thing that I can think of that makes sense based on the behavior I'm experiencing. (RDP sessions timing out and constantly reconnecting, and uploading changes to websites via sharepoint server extensions are all timing out, long transfers between mail servers as well). From /etfc/inc/filter.inc: if($config['system']['reflectiontimeout']) $reflectiontimeout = $config['system']['reflectiontimeout']; else $reflectiontimeout = 2000; You can set an override with systemreflectiontimeout Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] NAT Reflection States
Thanks, Scott. Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 3:36 PM To: support@pfsense.com Subject: Re: [pfSense Support] NAT Reflection States On Tue, Nov 18, 2008 at 6:32 PM, Dimitri Rodis [EMAIL PROTECTED] wrote: How long will pfSense hold onto the states required to maintain a tcp connection/udp session, and can this be changed? It seems like connections on my network that are utilizing NAT reflection are timing out extremely fast (like 20 seconds or less). The firewall optimization is set to conservative. This is only a guess, but it's the only thing that I can think of that makes sense based on the behavior I'm experiencing. (RDP sessions timing out and constantly reconnecting, and uploading changes to websites via sharepoint server extensions are all timing out, long transfers between mail servers as well). From /etfc/inc/filter.inc: if($config['system']['reflectiontimeout']) $reflectiontimeout = $config['system']['reflectiontimeout']; else $reflectiontimeout = 2000; You can set an override with systemreflectiontimeout Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] NAT Reflection States
That's milliseconds, correct? Dimitri Rodis Integrita Systems LLC -Original Message- From: Dimitri Rodis [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 3:38 PM To: support@pfsense.com Subject: RE: [pfSense Support] NAT Reflection States Thanks, Scott. Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 3:36 PM To: support@pfsense.com Subject: Re: [pfSense Support] NAT Reflection States On Tue, Nov 18, 2008 at 6:32 PM, Dimitri Rodis [EMAIL PROTECTED] wrote: How long will pfSense hold onto the states required to maintain a tcp connection/udp session, and can this be changed? It seems like connections on my network that are utilizing NAT reflection are timing out extremely fast (like 20 seconds or less). The firewall optimization is set to conservative. This is only a guess, but it's the only thing that I can think of that makes sense based on the behavior I'm experiencing. (RDP sessions timing out and constantly reconnecting, and uploading changes to websites via sharepoint server extensions are all timing out, long transfers between mail servers as well). From /etfc/inc/filter.inc: if($config['system']['reflectiontimeout']) $reflectiontimeout = $config['system']['reflectiontimeout']; else $reflectiontimeout = 2000; You can set an override with systemreflectiontimeout Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] NAT Reflection States
On Tue, Nov 18, 2008 at 6:40 PM, Dimitri Rodis [EMAIL PROTECTED] wrote: That's milliseconds, correct? I believe that is seconds, actually (whatever the default nc uses -- netcat). Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] NAT Reflection States
Check this out: http://cvstrac.pfsense.com/chngview?cn=18706 Comment: Default to nat-reflection inactivity of 2000 which is roughtly 33 minutes. lol, 2000=33 minutes? Can't be. I have an RDP session open to another server in the building here and it's timed out at least 6 times since you emailed me last. Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 3:44 PM To: support@pfsense.com Subject: Re: [pfSense Support] NAT Reflection States On Tue, Nov 18, 2008 at 6:40 PM, Dimitri Rodis [EMAIL PROTECTED] wrote: That's milliseconds, correct? I believe that is seconds, actually (whatever the default nc uses -- netcat). Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] NAT Reflection States
the -w param is in seconds according to http://www.securityforest.com/wiki/index.php/Netcat_-_Basic_Overview Any other ideas as to why connections would be dropping/timing out like this? Dimitri Rodis Integrita Systems LLC -Original Message- From: Dimitri Rodis [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 3:52 PM To: support@pfsense.com Subject: RE: [pfSense Support] NAT Reflection States Check this out: http://cvstrac.pfsense.com/chngview?cn=18706 Comment: Default to nat-reflection inactivity of 2000 which is roughtly 33 minutes. lol, 2000=33 minutes? Can't be. I have an RDP session open to another server in the building here and it's timed out at least 6 times since you emailed me last. Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 3:44 PM To: support@pfsense.com Subject: Re: [pfSense Support] NAT Reflection States On Tue, Nov 18, 2008 at 6:40 PM, Dimitri Rodis [EMAIL PROTECTED] wrote: That's milliseconds, correct? I believe that is seconds, actually (whatever the default nc uses -- netcat). Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] NAT Reflection States
I have the same issue with reflection and SSH. The session closes after about 20 seconds. I am using* *1.2.1-RC1 built on Thu Oct 16 07:20:59 EDT 2008 Not a huge issue as I can connect directly to the internal IP in the DMZ but it would be nice. Regards, Digger. Dimitri Rodis wrote: the -w param is in seconds according to http://www.securityforest.com/wiki/index.php/Netcat_-_Basic_Overview Any other ideas as to why connections would be dropping/timing out like this? Dimitri Rodis Integrita Systems LLC -Original Message- From: Dimitri Rodis [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 3:52 PM To: support@pfsense.com Subject: RE: [pfSense Support] NAT Reflection States Check this out: http://cvstrac.pfsense.com/chngview?cn=18706 Comment: Default to nat-reflection inactivity of 2000 which is roughtly 33 minutes. lol, 2000=33 minutes? Can't be. I have an RDP session open to another server in the building here and it's timed out at least 6 times since you emailed me last. Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 3:44 PM To: support@pfsense.com Subject: Re: [pfSense Support] NAT Reflection States On Tue, Nov 18, 2008 at 6:40 PM, Dimitri Rodis [EMAIL PROTECTED] wrote: That's milliseconds, correct? I believe that is seconds, actually (whatever the default nc uses -- netcat). Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] NAT Reflection States
On Tue, Nov 18, 2008 at 7:04 PM, digger [EMAIL PROTECTED] wrote: I have the same issue with reflection and SSH. The session closes after about 20 seconds. I am using* *1.2.1-RC1 built on Thu Oct 16 07:20:59 EDT 2008 Not a huge issue as I can connect directly to the internal IP in the DMZ but it would be nice. What does /var/etc/inetd.conf look like? Do you see the timeouts defined? Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] NAT Reflection States
I am using 1.2-RELEASE built on Sun Feb 24 17:04:58 EST 2008 so it isn't an RC thing. Dimitri Rodis Integrita Systems LLC -Original Message- From: digger [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 4:04 PM To: support@pfsense.com Subject: Re: [pfSense Support] NAT Reflection States I have the same issue with reflection and SSH. The session closes after about 20 seconds. I am using* *1.2.1-RC1 built on Thu Oct 16 07:20:59 EDT 2008 Not a huge issue as I can connect directly to the internal IP in the DMZ but it would be nice. Regards, Digger. Dimitri Rodis wrote: the -w param is in seconds according to http://www.securityforest.com/wiki/index.php/Netcat_-_Basic_Overview Any other ideas as to why connections would be dropping/timing out like this? Dimitri Rodis Integrita Systems LLC -Original Message- From: Dimitri Rodis [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 3:52 PM To: support@pfsense.com Subject: RE: [pfSense Support] NAT Reflection States Check this out: http://cvstrac.pfsense.com/chngview?cn=18706 Comment: Default to nat-reflection inactivity of 2000 which is roughtly 33 minutes. lol, 2000=33 minutes? Can't be. I have an RDP session open to another server in the building here and it's timed out at least 6 times since you emailed me last. Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 3:44 PM To: support@pfsense.com Subject: Re: [pfSense Support] NAT Reflection States On Tue, Nov 18, 2008 at 6:40 PM, Dimitri Rodis [EMAIL PROTECTED] wrote: That's milliseconds, correct? I believe that is seconds, actually (whatever the default nc uses -- netcat). Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] NAT Reflection States
There are a ton of lines that look like this: 19004 stream tcp nowait/0nobody /usr/bin/nc nc -w 20 I guess we found the culprit then? Why is it using 20 as opposed to 2000? Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 4:07 PM To: support@pfsense.com Subject: Re: [pfSense Support] NAT Reflection States On Tue, Nov 18, 2008 at 7:04 PM, digger [EMAIL PROTECTED] wrote: I have the same issue with reflection and SSH. The session closes after about 20 seconds. I am using* *1.2.1-RC1 built on Thu Oct 16 07:20:59 EDT 2008 Not a huge issue as I can connect directly to the internal IP in the DMZ but it would be nice. What does /var/etc/inetd.conf look like? Do you see the timeouts defined? Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] NAT Reflection States
On Tue, Nov 18, 2008 at 7:10 PM, Dimitri Rodis [EMAIL PROTECTED] wrote: There are a ton of lines that look like this: 19004 stream tcp nowait/0nobody /usr/bin/nc nc -w 20 I guess we found the culprit then? Why is it using 20 as opposed to 2000? It was a mistake / code duplication. Fixed now, please test next snapshot. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] NAT Reflection States
My next scheduled outage is US Sunday night . I'll let you know how it goes after that. Thanks Digger. Scott Ullrich wrote: On Tue, Nov 18, 2008 at 7:10 PM, Dimitri Rodis [EMAIL PROTECTED] wrote: There are a ton of lines that look like this: 19004 stream tcp nowait/0nobody /usr/bin/nc nc -w 20 I guess we found the culprit then? Why is it using 20 as opposed to 2000? It was a mistake / code duplication. Fixed now, please test next snapshot. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
