1 |
On 22 June 2010 15:33, James <wireless@×××××××××××.com> wrote: |
2 |
> Hello, |
3 |
> |
4 |
> Conntrack-tools |
5 |
> Look here: |
6 |
> http://conntrack-tools.netfilter.org/testcase.html |
7 |
> |
8 |
> Is anyone doing this, and willing to share configs, answer questions, |
9 |
> or point to other examples? |
10 |
> |
11 |
> |
12 |
> Lots of new kernel stuff for ip tables, since I sank deeply into the |
13 |
> abyss of minutia of IP tables. Further reading references on how to |
14 |
> build an HA or fail-over firewall are most welcome. |
15 |
|
16 |
I can't add anything about conntrackd, because I have not used it, but |
17 |
I'd recommend to use the limit module and set it to something sensible |
18 |
(e.g. 3/minute) when logging invalid packets, if you want to avoid |
19 |
bogging down your fw. So use something like: |
20 |
|
21 |
-m limit --limit 1/minute |
22 |
|
23 |
You could also add --limit-burst in the same fashion again to limit |
24 |
DoS attacks, at least on the Internet facing NICs/ports. |
25 |
-- |
26 |
Regards, |
27 |
Mick |