On Mon, 10 Oct 2005, Marek Zachara wrote:
I did try. However even adding blocking (-p udp -j DROP) at PREROUTING and keeping such rule for 5 min doesn't clean the conntrack - somehow the entry is 'sustained' with the incoming packets even if they are being dropped early in the chain.
If the conntrack entry already exists then a DROP rule will probably not help if the traffic is frequent.
However, if there is not yet an entry then DROP should prevent the conntrack entry from being set up (yes, technically there still is a conntrack created, but never confirmed or registered as the packet is dropped).
Regards Henrik
