Maximum state entries per host

charles.regan · May 26, 2006, 1:59 PM

If I set this to 150, is it too much or not enough.
I want to limit my clients connections to conserve my bandwidth.

hoba · May 26, 2006, 6:58 PM

This all depends what the clients are doing or of the speed of your hardware/bandwidth. It's hard to post a general number here. I would first do some investigations without restrictions monitoring the overall states and the states at diagnostics>states (you can filter per client there to see how many states your clients are consuming). 150 states should be enough for mail, ftp, browsing…unless the users fire up filesharing utilities it should be enough.

billm · May 28, 2006, 1:48 PM

@charles.regan:

If I set this to 150, is it too much or not enough.
I want to limit my clients connections to conserve my bandwidth.

Connections will only help bandwidth if P2P is the issue. If I'm a user and pull down the latest FreeBSD ISO from a good mirror, I guarantee that connection counts won't save your bandwidth - for that matter, if you have HTTP prioritized, yer screwed too. ;)

–Bill

pcatiprodotnet · Jul 1, 2006, 5:37 AM

I'm considering setting max states per host to 80 on our wireless hotspot. I notice most hosts use <20 when I check it.
Are there any common uses (other than p2p) that would open many more states than really needed, or leave "ghost" states in the state table?
And, what is the default timeout for inactive states?
Thanks, -pc

hoba · Jul 1, 2006, 1:32 PM

Default statetimeout is 24h but you can set the timeouts in the firewallrules for each kind of traffic individually. Abusive programs like worms or viruses might cause lots of states too btw. Some port-/subnetscanner are able to open a lot of connections at the same time but I expect you don't want to let these run effectively on your hotspot ;)

pcatiprodotnet · Jul 8, 2006, 8:04 PM

Does the default state timeout of 24h: timeout 24h after creation, or after 24h of inactivity?

Thanks, -pc

hoba · Jul 8, 2006, 10:45 AM

It's inactivity (check pftop from the console to see how the expiry is renewed on traffic) and as it is per rule it only applies for the kind of traffic you specify in it.

pcatiprodotnet · Jul 8, 2006, 8:05 PM

Does the "state limit per host" field also apply to hosts/IPs on other interfaces, such as the interface going out to the internet? I wouldn't want to inadvertently limit connections to popular web sites.
Thanks, -pc

hoba · Jul 8, 2006, 9:10 PM

It applies for the traffic specified in the rule.