* Leonardo Rodrigues ([EMAIL PROTECTED]) wrote: > > I'm using this same 'new not syn' rule for a long time and had > absolutely no problems with it. I've also found SEVERAL connections being > blocked by it. Anyway, it's completly safe to drop connections that does not > have the SYN and are recognized as NEW, as they really dont make sense.
You can also apply the patch from p-o-m called 'conntrack-tcp-nopickup'
which alters the TCP state tracking machine to not 'pick up' connections
which are around before the firewall comes up.
Harald, since you asked for feedback, the only issue I've seen so far
when running with this patch (which has been running on my firewall for
almost a month now) is that occationally I'll see a great many 'ACK's
being sent from my web server to some external IP address in my logs.
It doesn't seem to have caused any serious problem in general though.
If you'd like some more information on this I'd be happy to provide it.
Stephen
msg01251/pgp00000.pgp
Description: PGP signature
