Solved Connection states

[Phishfry]

When I close my SeaMonkey browser it is setup to delete everything. Cookies, history, ect...

But when I open my firewall pflog I notice many port :443 sockets lingering for 2 minutes.

Where can I read on solutions? I want to cut down all 80/443 sockets on SeaMonkey shutdown.

I frequently reopen it thinking everything is clear, when infact I still have active connections.

Is this solvable? I prefer to not post my whole rule set so perhaps steer me to good reading.

 

[SirDice]

But when I open my firewall pflog I notice many port :443 sockets lingering for 2 minutes.

The RST or FIN not completed? Thus it still keeps the connection state open until that times out?

What does netstat(1) show on the host that runs SeaMonkey regarding those connection states?

 

[Phishfry]

I am not having this problem but it did help me understand states better.

222126 – pf is not clearing expired states

bugs.freebsd.org

What I am wondering is what sets the length of state. IE. When it expires?

I would like to speed up expiration.

 

[Phishfry]

So FIN_WAIT_2 is what I am inquiring about? How do I reduce expiration time?

I would imagine the 'Googles' hang on to their state to track you?
So my browser closing is useless unless states cleared.

 

[SirDice]

I would imagine the 'Googles' hang on to their state to track you?

To what end? They've already tracked your connection when it was created. Keeping the connection in some "limbo" state doesn't add anything.

 

[Phishfry]

So is this normal and I am worrying about nothing?

 

[SirDice]

TCP: About FIN_WAIT_2, TIME_WAIT and CLOSE_WAIT - Benohead's Software Blog

TCP states Most of the 11 TCP states are pretty easy to understand and most programmers know what they mean: CLOSED: There is no connection. LISTEN: The local end-point is waiting for a connection request from a remote end-point i.e. a passive open was performed. SYN-SENT: The first step of the...

benohead.com

 

[Phishfry]

That led me to:

tcp_fin_timeout analogon

freebsd-questions.freebsd.narkive.com

Which leads me to this:
/etc/pf.conf

set timeout tcp.closing 60
set timeout tcp.finwait 60
set timeout tcp.closed 30

So I hate to play with my firewalls default settings but now I know the knobs to turn.
This was my final helper.

fwbuilder/test/pf/firewall.conf.orig at master · Uninett/fwbuilder

Firewall Builder. Contribute to Uninett/fwbuilder development by creating an account on GitHub.

github.com

 

[Phishfry]

Thanks SirDice for working on your day off! I know most Fridays you are off.

 

[SirDice]

I know most Fridays you are off.

I'm never off. Rarely take a day off actually. That reminds me though, I do need to schedule some R&R.

 

[Phishfry]

Defaults:
root@x9srl:/home/firewall # pfctl -s timeouts

tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start            60000 states
adaptive.end             120000 states
src.track                     0s