[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  monowall <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Robust enough for heavy duty?
 Date:  Fri, 30 Dec 2005 13:00:41 -0500
On 12/30/05, James W. McKeand <james at mckeand dot biz> wrote:
> tech at adaptive dot net wrote:
> > What defines the use of these states?  Say you have a request for a
> > web page with some 20 images on it.  The server is serving these out
> > as individual files or 'hits'.  Do each of these 20 images count as a
> > single 'state' or is the web page request as a whole considered one
> > 'state'?
> Take a look at the state table in the Diagnostics. You should see that a
> state is a session between computers (by IP address and port - assuming
> 1.2). So, unless your web browser opens a separate session for each
> image, you should only have one session for the web page request.

I believe that's generally correct.  If you look at 5 different web
browsers on 5 different OS's, you might get all different results
though.  Also, for example, some people configure Firefox to fetch
multiple items on a page simultaneously, so you might have 5 or so
simultanous with something like that.

The vast majority of states will be quickly removed from the state
table, as the connections will be properly closed.  If anything,
ipfilter is a bit overzealous in cutting off states (not that other
firewalls aren't - my PIX firewalls drop more legit reply traffic than
my m0n0walls).  My point being, states don't hang around for long.  A
few won't get closed properly for a number of reasons, but will get
timed out after an hour and a half (IIRC that's the default in 1.2, if
not exactly that, it's close).

I believe I stated this previously, but with only 12 Mb of
web/mail/DNS/etc. traffic at peak times, I seriously doubt if you're
using > 30K states.  I'd be surprised if you're using half that many.