> > How much memory is in the netfilter machine / what size is your conntrack > table / how many connections are you generating with your portscans for this > to be a problem ? This is not a matter of the number of connection generated by the portscanner. But the type of scanning option. If you turn on stateful filtering, and you try to scan a class B (or multiple class C) address using "nmap -sS", then you are in trouble. According to iptables source code, you will have to wait for five days for timeout. FYI, my machine is 64MB and I know it is default to 4K connection. I tried to increase it to 64K, and I get other process being killed (the OOM bug), sometime the machine hang. This is kernel-2.4.18. Even I put in more RAM let say 512MB/1GB. The maximum of the connection table is only 64K. (Correct me if I'm wrong). I point here is any iptables with 64K limitation on connection table can be easily DOS by a scanning (using the either "nmap -sS" or "nmap -sA" ). .//Jet
