Hi, Our scenario: One firewall serving roughly 5000 in/out connections every second on avg. Our mission: To only allow FORWARD traffic coming from a trusted NIC or subnet out to the internet, while not letting any traffic at ALL back into that trusted NIC or SUBNET UNLESS it was initiated from within. Our problem: Using states (ip_conntrack) works, but performance is not good, connections are dropped/lost, etc. We want to somehow implement this without any connection tracking, can this be done? Our ifaces: eth1 ( 10.0.0.1 ) Trusted eth0:1 ( 2.2.2.1 ) Default gateway to 2.2.2.0/24 eth1 ( 1.1.1.1 ) Small /31 subnet for routing, it's default gw is 1.1.1.2 and vice versa, all 2.2.2.0/24 traffic routes over here So, we want 2.2.2.0/24 to be able to initiate any connections they want, and get the response it needs back, but we want no connections to be able to come in ( i.e. those annoying windows msg popup ads spammers are using, worm problems, icmp probes, etc ). I've read up and understand somewhat, but can't seem to figure out how to deal with this in/out issue and not using connection tracking. Thanks!
