Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Variable State Timeouts - possible?

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 4 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      firewalluser
      last edited by

      I think I know the answer to this will be no, but I'll ask.

      At the moment we have one setting for state timesouts which is
      https://www.freebsd.org/cgi/man.cgi?query=pf.conf%285%29&sektion=

      normal
      		 A normal network environment.	Suitable for almost all	net-
      		 works.
      	   high-latency
      		 A high-latency	environment (such as a satellite connection).
      	   satellite
      		 Alias for high-latency.
      	   aggressive
      		 Aggressively expire connections.  This	can greatly reduce the
      		 memory	usage of the firewall at the cost of dropping idle
      		 connections early.
      	   conservative
      		 Extremely conservative	settings.  Avoid dropping legitimate
      		 connections at	the expense of greater memory utilization
      		 (possibly much	greater	on a busy network) and slightly
      		 increased processor utilization.
      

      Question is, with pfsense being used with multiple optional interfaces (OPTx), would it be possible to have a different state timeout for the different interfaces for a single firewall DMZ?

      Things like the TV settop box requires a long/satellite timeout otherwise its useless and slow getting things like tvguide date from its multiple sources, but for things like my email server on a separate network interface I'd like a short/aggressive timeout.
      As pfsense can kill states with the scheduler, I wondered if it would be possible for pfsense to do state timeouts by interface?

      A workaround at the moment is just set pfsense, as its the wanside facing device firewall, to long/satellite optimisation, and then put another firewall (2 firewall DMZ) in front of the email server with a short/aggressive state timeout.

      So would it be possible for pfsense to have different state timeouts by nic?

      TIA.

      Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

      Asch Conformity, mainly the blind leading the blind.

      1 Reply Last reply Reply Quote 0
      • D Offline
        doktornotor Banned
        last edited by

        No, no such thing supported in pf (I mean the pf packet filter, not pfSense.)

        1 Reply Last reply Reply Quote 0
        • jimpJ Offline
          jimp Rebel Alliance Developer Netgate
          last edited by

          You can set timeouts for TCP on individual rules, just keep in mind you must set the timeout on an interface rule and again on a floating rule (quick, outbound, on the WAN for example) but that gets tricky since by the time the WAN floating rules outbound get parsed NAT has applied, so you may not be able to distinguish based on source address unless you NAT each interface out a different IP address… or if you can match based on destination that would work for certain.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • F Offline
            firewalluser
            last edited by

            @jimp:

            You can set timeouts for TCP on individual rules, just keep in mind you must set the timeout on an interface rule and again on a floating rule (quick, outbound, on the WAN for example) but that gets tricky since by the time the WAN floating rules outbound get parsed NAT has applied, so you may not be able to distinguish based on source address unless you NAT each interface out a different IP address… or if you can match based on destination that would work for certain.

            I'll check that out, it sound like its better suited for my needs instead of a blanket state timeout. Thanks.

            Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

            Asch Conformity, mainly the blind leading the blind.

            1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate
              last edited by

              @jimp:

              You can set timeouts for TCP on individual rules, just keep in mind you must set the timeout on an interface rule and again on a floating rule (quick, outbound, on the WAN for example) but that gets tricky since by the time the WAN floating rules outbound get parsed NAT has applied, so you may not be able to distinguish based on source address unless you NAT each interface out a different IP address… or if you can match based on destination that would work for certain.

              Or you can mark the traffic on the LAN in rule and match the mark on the floating out rule.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.