Chris Buechler wrote:
> On 11/6/06, bunea lucian <lucienut2003 at yahoo dot com> wrote:
>> You are right. One pc is using more than one p2p programs at once and
>> it's exhausting
>> my state table . He is using WinXP SP2 (max 10 tcp connection/s) but
>> Is there something I can do to limit the maximum concurent tcp
>> conection per IP
> No, not at this time. It's something you'll probably see in 1.3, and
> pfsense, a m0n0wall-derivitive, supports this now.
> 30,000 states is a LOT to be chewing up with one machine, I don't care
> how many P2P apps you're running. I would look for settings in the
> P2P apps to limit the number of concurrent connections. Most
> BitTorrent clients have this, for example. One of those apps is
> seriously misbehaving.
I'd lower UDP/TCP timeout value. In P2P, there is often a lot of
leftout connections, decreasing the UDP/TCP timeout helps to keep the
number of connections lower thus keeping state table from filling. In
mOnOwall, default TCP Timeout is 2.5 hours from 1.2b2.
Excerpt from mOnO handbook:
As of 1.2b2, the TCP idle timeout for the firewall is 2.5 hours instead
of the ipfilter default of 10 days (!) to keep the state table from
filling up with dead connections. This value can be modified on the
advanced setup page, though that is not recommended. So of course if
your SSH connection doesn't transfer a single byte for two hours, the
ipfilter state table entry is deleted and the connection breaks. Turning
on keep-alives in your SSH client is the recommended means of avoiding
Chris, maybe you have a comment on all this.
Guy Boisvert, ing.