On 12/30/05, James W. McKeand <james at mckeand dot biz> wrote:
> tech at adaptive dot net wrote:
> > What defines the use of these states?  Say you have a request for a
> > web page with some 20 images on it.  The server is serving these out
> > as individual files or 'hits'.  Do each of these 20 images count as a
> > single 'state' or is the web page request as a whole considered one
> > 'state'?
>
> Take a look at the state table in the Diagnostics. You should see that a
> state is a session between computers (by IP address and port - assuming
> 1.2). So, unless your web browser opens a separate session for each
> image, you should only have one session for the web page request.
>

I believe that's generally correct.  If you look at 5 different web
browsers on 5 different OS's, you might get all different results
though.  Also, for example, some people configure Firefox to fetch
multiple items on a page simultaneously, so you might have 5 or so
simultanous with something like that.

The vast majority of states will be quickly removed from the state
table, as the connections will be properly closed.  If anything,
ipfilter is a bit overzealous in cutting off states (not that other
firewalls aren't - my PIX firewalls drop more legit reply traffic than
my m0n0walls).  My point being, states don't hang around for long.  A
few won't get closed properly for a number of reasons, but will get
timed out after an hour and a half (IIRC that's the default in 1.2, if
not exactly that, it's close).

I believe I stated this previously, but with only 12 Mb of
web/mail/DNS/etc. traffic at peak times, I seriously doubt if you're
using > 30K states.  I'd be surprised if you're using half that many.

-Chris