Variable State Timeouts - possible?

firewalluser

I think I know the answer to this will be no, but I'll ask.

At the moment we have one setting for state timesouts which is
https://www.freebsd.org/cgi/man.cgi?query=pf.conf%285%29&sektion=

normal
		 A normal network environment.	Suitable for almost all	net-
		 works.
	   high-latency
		 A high-latency	environment (such as a satellite connection).
	   satellite
		 Alias for high-latency.
	   aggressive
		 Aggressively expire connections.  This	can greatly reduce the
		 memory	usage of the firewall at the cost of dropping idle
		 connections early.
	   conservative
		 Extremely conservative	settings.  Avoid dropping legitimate
		 connections at	the expense of greater memory utilization
		 (possibly much	greater	on a busy network) and slightly
		 increased processor utilization.

Question is, with pfsense being used with multiple optional interfaces (OPTx), would it be possible to have a different state timeout for the different interfaces for a single firewall DMZ?

Things like the TV settop box requires a long/satellite timeout otherwise its useless and slow getting things like tvguide date from its multiple sources, but for things like my email server on a separate network interface I'd like a short/aggressive timeout.
As pfsense can kill states with the scheduler, I wondered if it would be possible for pfsense to do state timeouts by interface?

A workaround at the moment is just set pfsense, as its the wanside facing device firewall, to long/satellite optimisation, and then put another firewall (2 firewall DMZ) in front of the email server with a short/aggressive state timeout.

So would it be possible for pfsense to have different state timeouts by nic?

TIA.

doktornotor

No, no such thing supported in pf (I mean the pf packet filter, not pfSense.)

jimp

You can set timeouts for TCP on individual rules, just keep in mind you must set the timeout on an interface rule and again on a floating rule (quick, outbound, on the WAN for example) but that gets tricky since by the time the WAN floating rules outbound get parsed NAT has applied, so you may not be able to distinguish based on source address unless you NAT each interface out a different IP address… or if you can match based on destination that would work for certain.

firewalluser

@jimp:

You can set timeouts for TCP on individual rules, just keep in mind you must set the timeout on an interface rule and again on a floating rule (quick, outbound, on the WAN for example) but that gets tricky since by the time the WAN floating rules outbound get parsed NAT has applied, so you may not be able to distinguish based on source address unless you NAT each interface out a different IP address… or if you can match based on destination that would work for certain.

I'll check that out, it sound like its better suited for my needs instead of a blanket state timeout. Thanks.

Derelict

@jimp:

You can set timeouts for TCP on individual rules, just keep in mind you must set the timeout on an interface rule and again on a floating rule (quick, outbound, on the WAN for example) but that gets tricky since by the time the WAN floating rules outbound get parsed NAT has applied, so you may not be able to distinguish based on source address unless you NAT each interface out a different IP address… or if you can match based on destination that would work for certain.

Or you can mark the traffic on the LAN in rule and match the mark on the floating out rule.