On Wed, 17 Apr 2002, Joakim Axelsson wrote: > We would like to call this "border". Just the same as "filter INPUT", but > the absoluty first thing that happens after the packet comes from the > netcard-driver. Behaps a border OUTPUT doing the same thing just before > entering the netcard driver. But it's not really needed more than in anti > spoof and debuging of your own network. Meaning border INPUT is enough, > really.
This 'border' table is hooked at NF_IP_PRE_ROUTING? > Any solution with being able to mark packets for "NOTRACK" or anything is > just too complicated in our need; handling DoS. Everything that do get pass > "border" is conntracked (if conntrack is loaded). Plain and easy. However i > can see that people would like the solution of letting packet get "flagged" > notrack. One could do both in the proposed new table: drop the packet or flag it to avoid entering conntrack (for example web traffic). Regards, Jozsef - E-mail : [EMAIL PROTECTED], [EMAIL PROTECTED] WWW-Home: http://www.kfki.hu/~kadlec Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary