Re: [m0n0wall] ADSL connection needs constantly "Reset state"

From:	Guy Boisvert <boisvert dot guy at videotron dot ca>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] ADSL connection needs constantly "Reset state"
Date:	Mon, 06 Nov 2006 18:53:29 -0500

Chris Buechler wrote:
> On 11/6/06, bunea lucian <lucienut2003 at yahoo dot com> wrote:
>>
>> You are right. One pc is using more than one p2p programs at once and 
>> it's exhausting
>> my state table . He is using WinXP SP2 (max 10 tcp connection/s) but 
>> still..
>>   Is there something I can do to limit the maximum concurent tcp 
>> conection per IP
>> address?
>>
>
> No, not at this time.  It's something you'll probably see in 1.3, and
> pfsense, a m0n0wall-derivitive, supports this now.
>
> 30,000 states is a LOT to be chewing up with one machine, I don't care
> how many P2P apps you're running.  I would look for settings in the
> P2P apps to limit the number of concurrent connections.  Most
> BitTorrent clients have this, for example.  One of those apps is
> seriously misbehaving.
>
> -Chris

I'd lower UDP/TCP timeout value.  In P2P, there is often a lot of 
leftout connections, decreasing the UDP/TCP timeout helps to keep the 
number of connections lower thus keeping state table from filling.  In 
mOnOwall, default TCP Timeout is 2.5 hours from 1.2b2.

Excerpt from mOnO handbook:
=====================
As of 1.2b2, the TCP idle timeout for the firewall is 2.5 hours instead 
of the ipfilter default of 10 days (!) to keep the state table from 
filling up with dead connections.  This value can be modified on the 
advanced setup page, though that is not recommended. So of course if 
your SSH connection doesn't transfer a single byte for two hours, the 
ipfilter state table entry is deleted and the connection breaks. Turning 
on keep-alives in your SSH client is the recommended means of avoiding 
broken sessions.

Chris, maybe you have a comment on all this.

Regards,

Guy Boisvert, ing.
IngTegration inc.