On 12/30/05, James W. McKeand <james at mckeand dot biz> wrote:
> tech at adaptive dot net wrote:
> > What defines the use of these states? Say you have a request for a
> > web page with some 20 images on it. The server is serving these out
> > as individual files or 'hits'. Do each of these 20 images count as a
> > single 'state' or is the web page request as a whole considered one
> > 'state'?
> Take a look at the state table in the Diagnostics. You should see that a
> state is a session between computers (by IP address and port - assuming
> 1.2). So, unless your web browser opens a separate session for each
> image, you should only have one session for the web page request.
I believe that's generally correct. If you look at 5 different web
browsers on 5 different OS's, you might get all different results
though. Also, for example, some people configure Firefox to fetch
multiple items on a page simultaneously, so you might have 5 or so
simultanous with something like that.
The vast majority of states will be quickly removed from the state
table, as the connections will be properly closed. If anything,
ipfilter is a bit overzealous in cutting off states (not that other
firewalls aren't - my PIX firewalls drop more legit reply traffic than
my m0n0walls). My point being, states don't hang around for long. A
few won't get closed properly for a number of reasons, but will get
timed out after an hour and a half (IIRC that's the default in 1.2, if
not exactly that, it's close).
I believe I stated this previously, but with only 12 Mb of
web/mail/DNS/etc. traffic at peak times, I seriously doubt if you're
using > 30K states. I'd be surprised if you're using half that many.