On Tue, 21 Jun 2005, Jan Engelhardt wrote: > >> > using tarpit instead of just dropping the connections. > >> Whatever. Without connection tracking you might as well use ipchains. > >the tarpit howto does say to turn connection tracking off. > > No, it does not! To quote: > > You probably don't want the conntrack module loaded while you are using > TARPIT, or you will be using resources per connection. > > Which is not the same as "does not work with conntrack". The overhead of TARPIT created in conntrack can completely be avoided by using NOTRACK and TARPIT targets together. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
