On Thu, Apr 05, 2001 at 11:59:43PM +0200, Guy Van Den Bergh wrote: > One major application of ingress policing is only letting a limited > rate of icmp or tcp syn packets coming into your network. That will > keep your network less vulnerable for ping floods and dos attacks. It's perhaps worth noting that for applications like this, in which you don't want to queue the traffic at all but just drop or reject it, this can be easily done with kernel 2.4's netfilter, using iptables and LIMIT. This is covered in Rusty's Remarklably Useful but Allegedly Unreliable Guide, the Linux 2.4 Packet Filtering HOWTO at http://netfilter.kernelnotes.org/
