On Tuesday 24 August 2004 15:27, Mike Frantzen wrote:
> There we'll agree to disagree. I prefer Amdahl's law which tells me to
> optimize for the common case instead of degrading everything to the
> pathological case.
I prefer to have a fixed limit for every IP instead of a firewall that changes
timeouts based on the number of active states. This goes beyond the problem
of worms&C and can help to fight attack directed to the firewall itself.
By the way, there is another more general way: you could set a limit for the
number of states for every rule. This gives more space to everyone, without
limiting a specific user, but a worm could uses all the available states for
one rule and so valid users will not be able to create connections to that
port.
Ed
