I'm answering my own post for the archives. On Fri, 2004-05-28 at 15:55, Sheldon Hearn wrote: > It seems that, in linux-2.6.5 w/ CONNMARK from patch-o-matic 20040302, > the CONNMARK --restore-mark modifier causes a conntrack entry to be > created if it doesn't already exist. > > I'm using CONNMARK to remember customer-initiated connections and route > them differently from "wild world"-initiated connections. I don't want > to mark "wild world"-initiated connections, because a SYN flood then > becomes a trivial way to DOS the conntrack table, and thus the firewall. > > Any idea how to stop this happening? You can prevent certain packets from creating a conntrack table entry with the "raw" patch, which adds a raw table, a NOTRACK target and an UNTRACKED state match. Available in pom-ng, as of at least 20040631. Ciao, Sheldon.
