Mick <michaelkintzios <at> gmail.com> writes: Howdy Mick!
> I can't add anything about conntrackd, because I have not used it, but > I'd recommend to use the limit module and set it to something sensible > (e.g. 3/minute) when logging invalid packets, if you want to avoid > bogging down your fw. So use something like: Well, between needing a firewall that does not fail (HA via redundancy), and a need to get 'up 2 speed' on the latest with iptables, I'm taking the plunge here... conntrackd provide what looks like a cool roll over mechanism similar to OpenBSD's carp and pfsync. http://www.openbsd.org/faq/pf/carp.html You may get a few private email, if I do not find a forum for ideas and experimentation...... > -m limit --limit 1/minute > You could also add --limit-burst in the same fashion again to limit > DoS attacks, at least on the Internet facing NICs/ports. Nice to know. Thanks Mick, James
