We have a class /21 block so it's more than a few a day for us. So I just do it for general purposes. But yes, you do not have to drop connection tracking for this. In our case, it's a couple per second and our connection tracking gets filled up pretty quick. But just because he is running Linux doesn't make this invalid. We use Linux boxes to slow people from hitting the windows boxes with their afflicted boxes. So it suddenly makes sense to do what he is doing if he is using it in that capacity. When these rules go off on our boxes we use it to build out temporary filter rules as well using some scripts. > -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter- > bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Georgi Alexandrov > Sent: Saturday, December 17, 2005 1:18 AM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Re: tarpit before or after adding chain? > > Gary W. Smith wrote: > > >This should also work as well. We tarpit all data which should never > >come through our firewalls. We also disabled tracking for the same. We > >don't want the firewall wasting resources on this garbage. Another > >trick that we do is we also dedicate a high/low IP for catching things > >like SQL, HTTP, VNC, RDC, etc. This was things walking the network will > >sometimes get hung, if they are not threaded. > > > > > I don't think that his *one or two per day* cmd.exe automatic scans will > get "through his firewall", > or will "waste resources". > Maybe filling your firewall with those useless rules will waste more > resources? ;-) > > *Think again* (as seen in the national geographic channel) > > > regards, > Georgi Alexandrov
