Hi guys, I had a usage question about tarpit in respects to connection tracking. We have a firewall that has a fairly heavy usage so we have put a separate box external of the firewall to do tarpitting of port scanners. Anyways, we are still being hit pretty hard by many things on this firewall. I was thinking about configuration tarpit on the firewall cluster but wanted to ensure that connection tracking wasn't a problem. Is it as simple as just sending the connection to the NOTRACK chain before sending it to tarpit? iptaables -t raw -A INPUT -p tcp -m tcp --dport 80 -j NOTRACK iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT Is there a better approach to this? Will this even work? The rules above are more or less just a sample. I would want to block almost all traffic destined for the input chain on the firewall on the external interface unless it is related traffic. Gary Wayne Smith
