> > The funny thing is that if you have a bad ruleset, you can easily be > > DOSed by some external people which are just sending random ACK packets. > > > > Those ACKs will create entries in your connection table as ESTABLISHED > > connections with a time-out of.... 5 days !!!!! 8-) > > Well no, since the concerned box will reply with a RST.
Alternatively, if no answer comes back at all, the conntrack is in the (extra) state UNREPLIED. When the connection table becomes full, UNREPLIED connections are recycled preferentially. The worst kinds of handleable DoS situations in this area, have been dealt with 1-2 years ago. best regards Patrick
