On Tuesday 08 June 2004 15:03, Feizhou wrote: > Antony Stone wrote: > > On Tuesday 08 June 2004 10:42 am, Feizhou wrote: > >>>2. /sbin/iptables -A INPUT -p tcp -m state --state > >>>ESTABLISHED,RELATED -j ACCEPT > >>Forget about this. It makes things easier yes but it is too slow if > >> you come under attack...but then you put everything on one box > >> seemly so I guess you don't get much traffic. > > How do you recommend dealing with reply packets instead? > So to avoid loading the connection tracking module, I would put rules > to handle return packets in the proper chain. A lot of work has gone into connection tracking and, whilst it is entirely possible to implement it yourself using many flag matches, it's hardly worth it. Connection tracking works very well for me and I imagine many others, I see no reason to try and circumvent that. Is there any good reason not to load connection tracking? David
