On May 18, 2020 1:58:49 AM GMT+03:00, "Paul B. Henson" <hen...@acm.org> wrote:
>I'm trying to set a longer timeout on a udp state, and for some reason
>seems to be disappearing before the expiration 8-/.
>There are 3 rules involved:
>pass in quick on vlan110 proto udp from any to port = 9430 tag VOIP_UDP
>keep state (udp.multiple 360)
>pass out quick on $ext_if proto udp tagged VOIP_UDP keep state
>(udp.multiple 360)
>match out on $ext_if from nat-to { $ext_vip }
>I turned on pf debugging, when the connection is created I see:
>May 17 15:36:39 lisa /bsd: pf: key search, in on vlan110: UDP wire: (0)
>May 17 15:36:39 lisa /bsd: pf: key setup: UDP wire: (0)
> stack: (0) -
>May 17 15:36:39 lisa /bsd: pf: key search, out on em2: UDP wire: (0)
>May 17 15:36:39 lisa /bsd: pf: key setup: UDP wire: (0)
> stack: (0)
>and there are state entries:
>all udp <-       MULTIPLE:MULTIPLE
>age 00:02:21, expires in 00:05:00, 29:29 pkts, 14166:18501 bytes, rule
>all udp ( ->  
>age 00:02:21, expires in 00:05:00, 29:29 pkts, 14166:18501 bytes, rule
>48, source-track
>However, right after the 5 minute mark the states disappear. The last
>pf log
>entries are;
>May 17 15:38:47 lisa /bsd: pf: key search, in on vlan110: UDP wire: (0)
>May 17 15:38:47 lisa /bsd: pf: key search, out on em2: UDP wire: (0)
>I was hoping to see something about expiration in the pf debug logs but
>this is all that appears to be available.
>Any idea why these states would go away when there is 5 minutes left
>before the expiration?
>Thanks much...

Short  googling shows me:
In the case of protocols without "start" and "end" packets, PF simply keeps 
track of how long it has been since a matching packet has gone through. If the 
timeout is reached, the state is cleared. The timeout values can be set in the 
options section of the pf.conf file.

What is your  conf  having as  a timeout ?

Best Regards,
Strahil Nikolov

Reply via email to