Hi Emmanuel,
Dans un message du 07 Jun à 17:13, Emmanuel Fleury écrivait :
> >The documentation is correct because it means
> >the connection in the conntrack sense NOT in the TCP sense.
>
> I disagree on this point. The documentation is not correct.
>
> Or, at least, the documentation is not precise enough to figure out
> this particular point (and this can lead the users to have some flaws
> in their firewall).
The documentation is correct because it assumes you understand
"connection" as a conntrack entry. I do agree that it should be
more explicit.
> The funny thing is that if you have a bad ruleset, you can easily be
> DOSed by some external people which are just sending random ACK packets.
>
> Those ACKs will create entries in your connection table as ESTABLISHED
> connections with a time-out of.... 5 days !!!!! 8-)
Well no, since the concerned box will reply with a RST.
--
Guillaume Morin <[EMAIL PROTECTED]>
Why critize what you don't understand ? (Sepultura)
