> 2. When the ip_conntrack table is full, are old UNREPLIED > connections dropped to make room for new entries? (this, > the DOS attack will not succeed), or, are random UNREPLIED > entries removed, or, are packets just dropped? AFAIK FAQ 3.16 says that UNREPLIED entries are stored just to keep information, they are replaced if necesary with new conntrack entries, then if we run out of entries, the packets are indeed dropped. This is accompanied by a kernel syslog message: conntrack full, dropping packet. > 4. Using the patch for NOTRACK, that provides a path that > does not add an entry to the session table, does this mean > the only thing that will break is any ESTABLISHED tests > elsewhere in the rules? or does it break NAT completely > and thus can only be used for packets coming in for services > on the local box, not any hidden NAT'd services? I have not seen or read about this patch, but without conntrack, NAT can not work. The NAT box would not know to whom should the returning packets be sent. Regards, Maciej
