On Wed, Sep 03, 2003 at 10:47:06AM -0700, Andrey Tverdokhleb spoke thusly: >I'd really like to have some way to bypass ip_conntrack for some >packets. Basically I need to run very intensive port scanning through my >firewall and as soon as ip_conntrack loaded it dies within seconds from >syn flood. Increase limit doesnt work becuase I need about 127000 >packets to be sent from different source ports. So far I just keep >contrack unloaded and firewall works fine as pure stateless filter. But >now I need statefull inspection on this machine for some IPs. So the >question - is it possible to avoid connection tracking for some specific >IPs? I think there is a NOTRACK patch somewhere (p-o-m / archives) ? Try looking for it, from memory I think that is what you need.
