Managing State Tables | Absolute OpenBSD: Unix for the Practical Paranoid

While PF uses rules to determine which connections may use stateful inspection, the actual state table is generated from the connections created by machines connecting through the firewall. Managing the state table therefore has two aspects: administering the rules for stateful inspection, and viewing and editing the state table itself. The rules for stateful inspection are actually managed as part of NAT and packet filtering, so we're left with viewing the state table itself.

Viewing the State Table

You can see the current contents of the state table with "pfctl -s state." Here's the output from a mostly idle network.

 # pfctl -s state 1 tcp 2 192.168.1.200: 3 51276 -> 4 209.69.178.18: 5 51276 -> 6 209.69.178.22: 6 22 7 ESTABLISHED: 8 ESTABLISHED #

There is only one entry in this state table, for a 1 TCP connection. The host 2 192.168.1.200 has opened port 3 51276 for an outbound connection. At the firewall, this IP undergoes translation to the IP 4 209.69.178.18, port 5 51276. This IP is connecting to the IP address 6 209.69.178.22 on port 7 22. The connection from the first machine to the firewall is in the state 8 ESTABLISHED, and the connection from the firewall to the eventual destination is also in the state 9 ESTABLISHED. While it's possible to have connection states be different on either side of the firewall, this should only appear very briefly. If you have a large enough state table, you'll catch a few of them from time to time.

If you're looking for particular information in your state table, you might want to add the "-r" (reverse lookup) option. This will make the state table perform DNS lookups on every IP address in the table and display host names where possible. This can take much longer than displaying the state table without host names, but is more readable when you're just seeing who is talking to what. "209.81.7.23" doesn't mean much to most of us, but "www.sex.com" might hint that someone's having a little bit too much fun at work.

Removing States

If you just want to clear every entry in your state table, you can just flush the entire state table with "-F state." This will completely erase the state table.

 # pfctl -F state states cleared #

Most connections will actually recover from having the state table cleared, if the PF rules allow the connection to continue. For example, if we clear the state table shown earlier and wait a moment, the SSH session will continue, and PF will create a new state entry.

We mentioned earlier that changing your packet-filtering rules to disallow a certain connection did not cut off connections that were already in place. If you clear the state table after loading your updated packet-filtering rules, the existing connections will try to recover. If PF does not allow the connection, the connection cannot recover, and both ends of the connection will time out.

If you are using state modulation instead of stateful inspection, connections cannot recover. State modulation changes the initial sequence number of the connection by a random amount, and flushing the table removes that random number. Flushing the state table will destroy all existing connections using state modulation and disconnect everyone accessing the network over that rule.

Killing States

At times, timing out the connection simply isn't good enough. You may want to kill a particular existing connection. You can do this with the "-k" (kill) option. This takes a single argument, the host name or IP address of the traffic source. For example, to delete all state entries for traffic originating from 192.168.1.200, you would use this command:

 # pfctl -k 192.168.1.200 killed 1 states from 1 sources and 0 destinations #

You could specify a second -k and a second host name or IP address, allowing you to narrow down the state you want to eliminate to those between two particular hosts.

 # pfctl -k 192.168.1.200 -k 209.69.178.22 killed 1 states from 1 sources and 1 destinations #

These connections can probably recover, however, so the best thing to do is put in a packet-filtering rule that will disallow undesired connections.