On Thu, Jan 02, 2003 at 11:33:36AM -0800, Ranjeet Shetye wrote:
> Actually, the ICMP problem that I have seen does not go away with a
> larger ip_conntrack_max. The extra table space just gets filled up.
> Agreed, that the ICMP packets I used to flood the iptables conntrack
> mechanism did not strictly comply with ICMP RFC standards, but then
> which cracker cares about standards ? :( That's why I asked, are you
> seeing malformed ICMP packets ?
Fair enough. Check out if the unclean match module catches these bad
ICMP packets then:
iptables -A INPUT -i ${PUBINT} --match unclean -j LOG --log-level info --log-prefix "fwr-unclean "
-Ath
--
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
Finger athan(at)fysh.org for PGP key
"And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME
Attachment:
pgp00240.pgp
Description: PGP signature
