On Wed, May 26, 2010 at 3:03 AM, Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote: >> >> Yea. Only MSS option is supported. But it is better than being DoSed. >> And you can set a threshold for SYNPROXY with limit match, then there >> isn't any difference if there isn't any SYN-flood attack. > > If I (have to) limit SYNPROXY, why shouldn't I better limit the SYN > packets directly instead? > Without SYNPROXY, you have to drop the over limit SYN packets, and maybe normal SYN packets are dropped. -- Regards, Changli Gao(xiaosuo@xxxxxxxxx) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
