We have a very similar situation and planning to replace our current
firewall with m0n0. With a 10 - 13 mbps of data and 13,000+ email users
we have maximum of 6500 sessions (states) with a cpu utilization of %20
in our current firewall (Fortigate 200). It only goes over that value if
there's an attack or a similar problem like 30,000 to 35,000 sessions.
Reason for the replacement is our firewall can't do bridging and nat at
the same time while m0n0 does. Also ours can't do more than one bridging
even there are enough interfaces while i succesfully did it with m0n0.
tech at adaptive dot net wrote:
> Thanks for your guidance, my only concern with the original request,
> is that that 12 mbps is coming from some 20,000 email users and 4,000
> web sites, so it not necessarily big chunks of datam, but perhaps a
> lots of small chunks, which may eat up the 30,000 states is what i fear.
> ----- Original Message ----- From: "Chris Buechler" <cbuechler at gmail dot com>
> Cc: "monowall" <m0n0wall at lists dot m0n0 dot ch>
> Sent: Friday, December 30, 2005 1:00 PM
> Subject: Re: [m0n0wall] Robust enough for heavy duty?
> On 12/30/05, James W. McKeand <james at mckeand dot biz> wrote:
>> tech at adaptive dot net wrote:
>> > What defines the use of these states? Say you have a request for a
>> > web page with some 20 images on it. The server is serving these out
>> > as individual files or 'hits'. Do each of these 20 images count as a
>> > single 'state' or is the web page request as a whole considered one
>> > 'state'?
>> Take a look at the state table in the Diagnostics. You should see that a
>> state is a session between computers (by IP address and port - assuming
>> 1.2). So, unless your web browser opens a separate session for each
>> image, you should only have one session for the web page request.
> I believe that's generally correct. If you look at 5 different web
> browsers on 5 different OS's, you might get all different results
> though. Also, for example, some people configure Firefox to fetch
> multiple items on a page simultaneously, so you might have 5 or so
> simultanous with something like that.
> The vast majority of states will be quickly removed from the state
> table, as the connections will be properly closed. If anything,
> ipfilter is a bit overzealous in cutting off states (not that other
> firewalls aren't - my PIX firewalls drop more legit reply traffic than
> my m0n0walls). My point being, states don't hang around for long. A
> few won't get closed properly for a number of reasons, but will get
> timed out after an hour and a half (IIRC that's the default in 1.2, if
> not exactly that, it's close).
> I believe I stated this previously, but with only 12 Mb of
> web/mail/DNS/etc. traffic at peak times, I seriously doubt if you're
> using > 30K states. I'd be surprised if you're using half that many.
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch