> Note however that you will no longer be able to carry out any > connection tracking logic on matched packes, including no NAT, > syncookie protection, etc.
Are you sure syncookie protection doesn't work with "-j NOTRACK"? I don't
believe syncookie has anything to do with conntrack at all, in fact, if
syncookies would be stateful, they would be totally useless.
