next »

[theflakes]

I've set a state timeout of 300 seconds for our student networks.  When I look at pfTop the IN state has the right timeout value, but the OUT state still shows the aggressive value of 18,000.  This leaves a lot of OUT states waiting to expire after the IN state has long expired.  Two questions:

How can I have the OUT states use the rule set state timeout of 300 seconds instead of the default system state timeout of 18,000?

If the above cannot be done will this cause issues with the max-src-states and max-src connection directives, or do those only count IN state table entries?

I've tried setting the state timeout on LAN and Floating rules with the same results.

thanks

[theflakes]

From the research I've done it does not seem it is possible to change the OUT state timeout.

[jimp]

Add a floating rule to pass quick in the 'out' direction on the interface the traffic will leave (or any interface) with the same source/destination, and set the timeout there also.

[theflakes]

Thanks

Unfortunately it breaks any connection.  The following is what I defined on the floating rule:

pass:apply immediately:tcp:same source: same dest(any):300 timeout for state

With the above rule active tcp connection never reach established:established.  I tried multiple variations on this rule with no success.