Tcp.established changed on "System: Advanced: System Tunables" doesn't stick.

kwag

The subject says it all.
I'm trying to change the default value of  tcp.established  which default value is  86400s

I added tcp.established under the system tuneables, but even after a system reboot, it comes back up as 86400s.

pfctl  -s timeouts

tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s

etc. etc. etc.

Am I missing something?

Thanks,
-Karl

jimp

That's not a system tunable. It's a pf timer.

The only user-facing option that affects those is under System > Advanced on the Firewall/NAT tab, "Firewall Optimization". Conservative mode raises the timeout, Aggressive mode will lower the timeout.

kwag

@jimp:

That's not a system tunable. It's a pf timer.

The only user-facing option that affects those is under System > Advanced on the Firewall/NAT tab, "Firewall Optimization". Conservative mode raises the timeout, Aggressive mode will lower the timeout.

Ok. Thanks for responding.

So, where can I change this pf timer and make the change persistent?
I would like to lower the value to something like 1 hour.

Thanks,
-Karl

jimp

The only GUI option is the firewall optimization. There isn't any way to set it manually short of patching the code that produces the ruleset part that includes the timers.