On Wed, Nov 28, 2007 at 12:34:31AM +0100, Jan Engelhardt wrote: > Considering TCP only... > > If my firewall allows 'NEW' connections (-m conntrack --ctstate NEW) on > non-SYN packets, what good will xt_TIMEOUT do? If the ct entry times out, > a new one will be created once the next packet flows. Correct - in this case, it will not help at all. But many rulesets require (--state NEW) to be --syn, where this would help. Phil - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
