1 |
Minor additions to what Pandu said... |
2 |
|
3 |
On Mon, Dec 30, 2013 at 7:02 AM, Pandu Poluan <pandu@××××××.info> wrote: |
4 |
> On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl <tanstaafl@×××××××××××.org> wrote: |
5 |
|
6 |
> The numbers within [brackets] are statistics/countes. Just replace |
7 |
> them with [0:0], unless you really really really have a good reason to |
8 |
> not start counting from 0... |
9 |
> |
10 |
|
11 |
AFAIK, there's no reason this shouldn't alway be set to 0. If you want |
12 |
to keep your counter do --noflush |
13 |
|
14 |
> NOTE: In that ServerFault posting, I suggested using the anti-attack |
15 |
> rules in -t raw -A PREROUTING. This saves a great deal of processing, |
16 |
> becase the "raw" table is just that: raw, unadulterated, unanalyzed |
17 |
> packets. The CPU assumes nothing, it merely tries to match well-known |
18 |
> fields' values. |
19 |
> |
20 |
|
21 |
And because nothing is assumed, you can't prepend a conntrack rule. I |
22 |
can't think of why you'd ever want those packets (and I should |
23 |
probably move at least those 4 masks to raw) but just an FYI - no |
24 |
processing means no processing. |
25 |
|
26 |
Also see nftables: http://netfilter.org/projects/nftables/ |