Variable State Timeouts - possible?
-
I think I know the answer to this will be no, but I'll ask.
At the moment we have one setting for state timesouts which is
https://www.freebsd.org/cgi/man.cgi?query=pf.conf%285%29&sektion=normal A normal network environment. Suitable for almost all net- works. high-latency A high-latency environment (such as a satellite connection). satellite Alias for high-latency. aggressive Aggressively expire connections. This can greatly reduce the memory usage of the firewall at the cost of dropping idle connections early. conservative Extremely conservative settings. Avoid dropping legitimate connections at the expense of greater memory utilization (possibly much greater on a busy network) and slightly increased processor utilization.
Question is, with pfsense being used with multiple optional interfaces (OPTx), would it be possible to have a different state timeout for the different interfaces for a single firewall DMZ?
Things like the TV settop box requires a long/satellite timeout otherwise its useless and slow getting things like tvguide date from its multiple sources, but for things like my email server on a separate network interface I'd like a short/aggressive timeout.
As pfsense can kill states with the scheduler, I wondered if it would be possible for pfsense to do state timeouts by interface?A workaround at the moment is just set pfsense, as its the wanside facing device firewall, to long/satellite optimisation, and then put another firewall (2 firewall DMZ) in front of the email server with a short/aggressive state timeout.
So would it be possible for pfsense to have different state timeouts by nic?
TIA.
-
No, no such thing supported in pf (I mean the pf packet filter, not pfSense.)
-
You can set timeouts for TCP on individual rules, just keep in mind you must set the timeout on an interface rule and again on a floating rule (quick, outbound, on the WAN for example) but that gets tricky since by the time the WAN floating rules outbound get parsed NAT has applied, so you may not be able to distinguish based on source address unless you NAT each interface out a different IP address… or if you can match based on destination that would work for certain.
-
You can set timeouts for TCP on individual rules, just keep in mind you must set the timeout on an interface rule and again on a floating rule (quick, outbound, on the WAN for example) but that gets tricky since by the time the WAN floating rules outbound get parsed NAT has applied, so you may not be able to distinguish based on source address unless you NAT each interface out a different IP address… or if you can match based on destination that would work for certain.
I'll check that out, it sound like its better suited for my needs instead of a blanket state timeout. Thanks.
-
You can set timeouts for TCP on individual rules, just keep in mind you must set the timeout on an interface rule and again on a floating rule (quick, outbound, on the WAN for example) but that gets tricky since by the time the WAN floating rules outbound get parsed NAT has applied, so you may not be able to distinguish based on source address unless you NAT each interface out a different IP address… or if you can match based on destination that would work for certain.
Or you can mark the traffic on the LAN in rule and match the mark on the floating out rule.