On Sun, 3 Jul 2005, Jan Engelhardt wrote: > >> iptables -t mangle -A PREROUTING -i ! eth1 -s > >> 2xx.xx.xxx.224/255.255.255.240 -j DROP > > > >If you support 2.6.x kernels, I'd suggest to use the raw table instead: > >thus the unnecessary load on conntrack could be avoided. > > Why use this sort of replacement for rp_filter anyway? What's bad with > rp_filter? (Apart from the problem with asymmetric routing, as is mentioned > in net/ipv4/*.) Thus one can disable rp_filter and collect the logs together with all the "other" firewall log entries. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
