    A few questions from a newbie…

    Is it possible to see the actual states with the timeouts for UDP in the NAT table?
    On my old router I used to check the content of /proc/net/ip_conntrack  for that kind of information. This old router has UDP NAT timeout preset to 180 sec.

    As I understood, changing the "Firewall Optimization Options" from "normal" to "conservative" will affect those NAT timeouts. What are the actual numbers for them with the both settings?


    You can check them like so, from the shell:

    # pfctl -st
    tcp.first                   120s
    tcp.opening                  30s
    tcp.established           86400s
    tcp.closing                 900s
    tcp.finwait                  45s
    tcp.closed                   90s
    tcp.tsdiff                   30s
    udp.first                    60s
    udp.single                   30s
    udp.multiple                 60s
    icmp.first                   20s
    icmp.error                   10s
    other.first                  60s
    other.single                 30s
    other.multiple               60s
    frag                         30s
    interval                     10s
    adaptive.start             6000 states
    adaptive.end              12000 states
    src.track                     0s

    Conservative sets the following:

    set timeout { udp.first 300, udp.single 150, udp.multiple 900 }

  • OK, thanks jimp.  Will stay with conservative.

