Patrick Schaaf wrote: >>>The funny thing is that if you have a bad ruleset, you can easily be >>>DOSed by some external people which are just sending random ACK packets. >>> >>>Those ACKs will create entries in your connection table as ESTABLISHED >>>connections with a time-out of.... 5 days !!!!! 8-) >> >>Well no, since the concerned box will reply with a RST. > > Alternatively, if no answer comes back at all, the conntrack is in the > (extra) state UNREPLIED. When the connection table becomes full, UNREPLIED > connections are recycled preferentially.
Hey, this is not fair !!!!! This behaviour is not described in ip_conntrack_proto_tcp.c. Where is it coded ???? Anyway, I would suggest that this 'ACK is NEW' thing is not really needed forever in your firewall. If this behaviour is active for a certain amount of time after every reboot, it would be probably enough to catch up all this pending connections and allow you to classify ACK as INVALID most of the time.... This is just a suggestion... Regards -- Emmanuel A dreamer is one who can only find his way by moonlight, and his punishment is that he sees the dawn before the rest of the world. -- Oscar Wilde
