Minor additions to what Pandu said... On Mon, Dec 30, 2013 at 7:02 AM, Pandu Poluan <pa...@poluan.info> wrote: > On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl <tansta...@libertytrek.org> wrote:
> The numbers within [brackets] are statistics/countes. Just replace > them with [0:0], unless you really really really have a good reason to > not start counting from 0... > AFAIK, there's no reason this shouldn't alway be set to 0. If you want to keep your counter do --noflush > NOTE: In that ServerFault posting, I suggested using the anti-attack > rules in -t raw -A PREROUTING. This saves a great deal of processing, > becase the "raw" table is just that: raw, unadulterated, unanalyzed > packets. The CPU assumes nothing, it merely tries to match well-known > fields' values. > And because nothing is assumed, you can't prepend a conntrack rule. I can't think of why you'd ever want those packets (and I should probably move at least those 4 masks to raw) but just an FYI - no processing means no processing. Also see nftables: http://netfilter.org/projects/nftables/
