Hi, On Tue, 25 May 2010, Changli Gao wrote: > iptables target SYNPROXY. > > This patch implements an iptables target SYNPROXY, which works in the raw table > of the PREROUTING chain, before conntracking system. Syncookies is used, so no > new state is introduced into the conntracking system. In fact, until the first > connection is established, conntracking system doesn't see any packets. So when > there is a SYN-flood attack, conntracking system won't be busy on finding and > deleting the un-assured ct. My main problem with your target is that by using it, important and useful TCP options are lost: timestamp and SACK. That pushes back TCP by almost twenty years. Here you reason for the target that it protects conntrack itself, but in the Kconfig text you write that it protects the servers behind the firewall. Both can be true, but if the real goal is to defend the servers then your target could simply send a faked ACK to complete the three way handshake and that way TCP would not be crippled (conntrack timeout should still be adjusted). Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html