Recommended value for tcp.established timer

torino

hi everyone !

just some questions regarding firewall timers :

1. what is the recommended value for tcp.established ?
       and what is the default-value in pfsense ?

2. which tcp-flag(s) triggers the cleanup of the state ESTABLISHED:ESTABLISHED ?
       FIN ? RST ? or both ?

many thanks for your support !

jimp

The default is the recommended value:

: pfctl -st
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start            27600 states
adaptive.end              55200 states
src.track                    60s

You can change some of those timers by adjusting the firewall optimization mode under System > Advanced on the Firewall/NAT tab.

IIRC both FIN and RST will tear down the connection, but that would be something you'd find in pf's documentation in OpenBSD.