NAT timeout values?

AndrewZ · Jun 3, 2010, 6:03 PM

Hello

A few questions from a newbie…

Is it possible to see the actual states with the timeouts for UDP in the NAT table?
On my old router I used to check the content of /proc/net/ip_conntrack for that kind of information. This old router has UDP NAT timeout preset to 180 sec.

As I understood, changing the "Firewall Optimization Options" from "normal" to "conservative" will affect those NAT timeouts. What are the actual numbers for them with the both settings?

Thanks!

jimp · Jun 4, 2010, 2:22 PM

You can check them like so, from the shell:

# pfctl -st
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start             6000 states
adaptive.end              12000 states
src.track                     0s

Conservative sets the following:

set timeout { udp.first 300, udp.single 150, udp.multiple 900 }

AndrewZ · Jun 4, 2010, 8:08 PM

OK, thanks jimp. Will stay with conservative.