On 8/11/07, David Burgess <apt dot get at gmail dot com> wrote:
>
> How about dropping your tcp idle timeout on the Advanced page?
>

That might help, but you'd probably really have to crank it down to
make a significant difference. To the point that it would break things
for users who aren't causing a problem.

One of the reasons the state table fills up so fast with worm activity
is that the machines attempt to communicate with a bunch of
non-existent and firewalled hosts, which leaves the state hanging
possibly until it times out (malware likely isn't going to close half
open connections on the firewall).

I'm not sure offhand how m0n0wall handles large numbers of half open
connections. If you can find a way to timeout half open connections
more aggressively, that may be a partial solution to improve the
situation.

-Chris