State Table Timeout
-
Hi there,
I am just curious what the default tcp timeout for an entry in the state table might be. I am looking at the state table right now and see the following:
tcp 80.67.x.x:993 <- 10.0.100.2:61538 ESTABLISHED:ESTABLISHED
tcp 74.125.x.x:5222 <- 10.0.100.2:51210 ESTABLISHED:ESTABLISHED
tcp 80.67.x.x:993 <- 10.0.100.2:54622 ESTABLISHED:ESTABLISHED
tcp 10.0.100.2:54622 -> 87.184.x.x:51160 -> 80.67.x.x:993 ESTABLISHED:ESTABLISHED
tcp 74.125.x.x:5222 <- 10.0.100.2:54624 ESTABLISHED:ESTABLISHED
tcp 10.0.100.2:54624 -> 87.184.x.x:63754 -> 74.125.x.x:5222 ESTABLISHED:ESTABLISHEDThe computer with the ip 10.0.100.2 is shutdown since last night, so for about 14 hours now…why are these states still kept? Shouldn't these have timed out long before?
Thanks
-
It depends on what your firewall optimization settings are, but you can check the timers with pfctl -st.
For example, on a vm I just grabbed the console from, it shows:
: pfctl -st tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff 30s udp.first 60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 28200 states adaptive.end 56400 states src.track 0s
-
Thanks jimp. Well the tcp.established 86400s is the root of all evil… ;-)
Isn't that quite long?
-
Not for an established connection.
If a system properly terminates its connections, the entries go away immediately. They don't hang out there forever unless one side believes it is still open.