On 22 June 2010 15:33, James <wirel...@tampabay.rr.com> wrote: > Hello, > > Conntrack-tools > Look here: > http://conntrack-tools.netfilter.org/testcase.html > > Is anyone doing this, and willing to share configs, answer questions, > or point to other examples? > > > Lots of new kernel stuff for ip tables, since I sank deeply into the > abyss of minutia of IP tables. Further reading references on how to > build an HA or fail-over firewall are most welcome.
I can't add anything about conntrackd, because I have not used it, but I'd recommend to use the limit module and set it to something sensible (e.g. 3/minute) when logging invalid packets, if you want to avoid bogging down your fw. So use something like: -m limit --limit 1/minute You could also add --limit-burst in the same fashion again to limit DoS attacks, at least on the Internet facing NICs/ports. -- Regards, Mick
