Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Maximum state entries per host

    Scheduled Pinned Locked Moved Firewalling
    9 Posts 4 Posters 4.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      charles.regan
      last edited by

      If I set this to 150, is it too much or not enough.
      I want to limit my clients connections to conserve my bandwidth.

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        This all depends what the clients are doing or of the speed of your hardware/bandwidth. It's hard to post a general number here. I would first do some investigations without restrictions monitoring the overall states and the states at diagnostics>states (you can filter per client there to see how many states your clients are consuming). 150 states should be enough for mail, ftp, browsing…unless the users fire up filesharing utilities it should be enough.

        1 Reply Last reply Reply Quote 0
        • B
          billm
          last edited by

          @charles.regan:

          If I set this to 150, is it too much or not enough.
          I want to limit my clients connections to conserve my bandwidth.

          Connections will only help bandwidth if P2P is the issue.  If I'm a user and pull down the latest FreeBSD ISO from a good mirror, I guarantee that connection counts won't save your bandwidth - for that matter, if you have HTTP prioritized, yer screwed too. ;)

          –Bill

          pfSense core developer
          blog - http://www.ucsecurity.com/
          twitter - billmarquette

          1 Reply Last reply Reply Quote 0
          • P
            pcatiprodotnet
            last edited by

            I'm considering setting max states per host to 80 on our wireless hotspot.  I notice most hosts use <20 when I check it.
            Are there any common uses (other than p2p) that would open many more states than really needed, or leave "ghost" states in the state table?
            And, what is the default timeout for inactive states?
            Thanks, -pc

            1 Reply Last reply Reply Quote 0
            • H
              hoba
              last edited by

              Default statetimeout is 24h but you can set the timeouts in the firewallrules for each kind of traffic individually. Abusive programs like worms or viruses might cause lots of states too btw. Some port-/subnetscanner are able to open a lot of connections at the same time but I expect you don't want to let these run effectively on your hotspot  ;)

              1 Reply Last reply Reply Quote 0
              • P
                pcatiprodotnet
                last edited by

                Does the default state timeout of 24h: timeout 24h after creation, or after 24h of inactivity?

                Thanks, -pc

                1 Reply Last reply Reply Quote 0
                • H
                  hoba
                  last edited by

                  It's inactivity (check pftop from the console to see how the expiry is renewed on traffic) and as it is per rule it only applies for the kind of traffic you specify in it.

                  1 Reply Last reply Reply Quote 0
                  • P
                    pcatiprodotnet
                    last edited by

                    Does the "state limit per host" field also apply to hosts/IPs on other interfaces, such as the interface going out to the internet?  I wouldn't want to inadvertently limit connections to popular web sites.
                    Thanks, -pc

                    1 Reply Last reply Reply Quote 0
                    • H
                      hoba
                      last edited by

                      It applies for the traffic specified in the rule.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.