On Sun, 1 Aug 2004, Antony Stone wrote: > On Sunday 01 August 2004 8:03 pm, Jason Opperisano wrote: > > > <OT> > > Where is the new-found obsession with dropping packets in the NAT table > > coming from? </OT> > > Indeed. A few people here have commented recently that they prefer dropping > stuff in the PREROUTING nat table instead of waiting until it hits INPUT or > FORWARD, for things like spoofed packets or invalid TCP flag combinations. And those forget that conntrack has already seen the packets. Better use the raw table to drop malformed/spoofed packets. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
