On Fri, Mar 29, 2002 at 09:32:29AM +0100, Patrick Schaaf wrote: > > This will leave incoming connections in the ESTABLISHED state on the > > remote side, significantly slowing down Code Red or Nimda-style scans > > of the entire IP space, > > Yeah. And significantly slowing down Code Red requests through unsuspecting > proxies, bringing down the proxies, potentially. IOW: antisocial if used > on the Internet. > > Having over 150 proxies serving several million narrowband internet users, > I can tell you that I really hate that proposal. We handle it, heuristically, > but it's awful. And don't tell me I should disinfect the clients. That sucks. > > I feel this to be a dangerous option, and would protest inclusion into > the base kernel (protest shortly, that is, and with no authority at all :-)
I totally agree with you. I refuse to include this extension into the iptables package - not even into the patch-o-matic 'broken' repository. This is a plain 'quality of implementation issue'. I don't want any code officially distributed as part of the linux firewalling subsystem behave in this antisocial way. > best regards > Patrick -- Live long and prosper - Harald Welte / [EMAIL PROTECTED] http://www.gnumonks.org/ ============================================================================ GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
