This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig4E7E7BCDF43B15755C880C76 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit > > >>Standard routing uses the destination to look up what to do. This will >>need to be based on source address. Apparently the policy routing has this >>capability, but the documentation for that stuff is rather vague so far. >> >> > >Yes, I was suggesting that you use policy routing, but I believe that still >has the same sort of "reject" destination as the standard "route" command, so >you don't need to actually send your unwanted packets on anywhere. > Nope, the IP-Route2 command is well explained. AND you can select between more than one filter. unchreachable or blackhole unreachable send's an command back (ICMP) and blackhole redirect the packet to the fast null device *eg* But to catch bursts and i think whats you talking about there are two other solutions. - netfilter with limit/psd/recent - ip/tc with bandwith management based on the syn flag Cu Thomas Lußnig p.s. It is not an good idee to drop the syn packets since if there come no connect the sender retry it for some times. Bether solutions would be sending RST packets that finaly tell the sender that you are not willing to accept connection. Even if the you wan't to block an FIXED set of IP's permanently for SMTP you can with DNS and view based give them an wrong (127.0.0.1) DNS solution for the MX. Cu Thomas Lußnig --------------enig4E7E7BCDF43B15755C880C76 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9qaHuBZl9gXHZBTcRAgNOAJ44PCxEmxfxYBenXHr3QiAL052IxACfZd43 wC38/2KpD9J8nrhbYMyhGEw= =Op8k -----END PGP SIGNATURE----- --------------enig4E7E7BCDF43B15755C880C76--
