On Sat, 1 Oct 2005, /dev/rob0 wrote:
Also, I'm not sure it would do anything at all, because there cannot be
that many --state NEW connections in such a short time. Conntrack would
call those "RELATED". I think you should try --syn, not --state NEW.
The syn part is correct, but not RELATED.
each time a new connection is seen (unique source/destination/ports) the
first packet is NEW, simply by the fact that the connection is not yet
known to conntrack.
conntrack calls syn retransmits on already accepted connections as
ESTABLISHED.
RELATED is "NEW" on other traffic flows which forms a known related
connection to a already known connection. For example the data channel in
the FTP protocol.
NEW is not related to syn, even if most TCP packets with state NEW is syn
packets. Any packet from a TCP (or UDP) session not yet known to conntrack
is NEW, even a TCP RST packet.
Regards
Henrik
