>The overhead of TARPIT created in conntrack can completely be avoided by
>using NOTRACK and TARPIT targets together.
Probably, but it does not belong to the topic ("leaking blocked ip addr.s").
On the NOTRACK, I've got a question, or maybe just a weird problem:
NOTRACK is only valid in the mangle table, and TARPIT is one of the last rules
in my filter:INPUT set.
So it looks to me like I would need to copy all filter:INPUT rules that -j
ACCEPT into mangle:INPUT - because a plain -j NOTRACK would disable tracking
everything, and I can't just do -p tcp --dport 25 -j NOTRACK, because it's a
lot more than just dport 25.
Jan Engelhardt
--
| Gesellschaft fuer Wissenschaftliche Datenverarbeitung Goettingen,
| Am Fassberg, 37077 Goettingen, www.gwdg.de
