On Tue, 21 Jun 2005, Jan Engelhardt wrote:
>
> >The overhead of TARPIT created in conntrack can completely be avoided by
> >using NOTRACK and TARPIT targets together.
>
> Probably, but it does not belong to the topic ("leaking blocked ip addr.s").
Yes, diverted from the original topic - I wrote it for the sake of
completeness.
> On the NOTRACK, I've got a question, or maybe just a weird problem:
> NOTRACK is only valid in the mangle table, and TARPIT is one of the last rules
> in my filter:INPUT set.
>
> So it looks to me like I would need to copy all filter:INPUT rules that -j
> ACCEPT into mangle:INPUT - because a plain -j NOTRACK would disable tracking
> everything, and I can't just do -p tcp --dport 25 -j NOTRACK, because it's a
> lot more than just dport 25.
NOTRACK is valid in the raw table alone. If you want a generic "NOTRACK
and TARPIT everything which is not allowed", then that I think won't go.
Best regards,
Jozsef
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
