Hello, J. Bakshi a écrit : > > nmap scan " nmap -P0 ...." makes my apache connection super slow !!! What do you mean exactly by "slow" ? Low tranfer rate ? It takes longer to establish a connection ? > ## SYN-FLOODING PROTECTION > iptables -N syn-flood > iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood > iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN 1/s is much too strict. Even in normal use a server may receive much more connection requests in one second. > ## FRAGMENTS > iptables -A INPUT -i $IFACE -f -j LOG --log-prefix "IPTABLES FRAGMENTS: " > iptables -A INPUT -i $IFACE -f -j DROP Useless. Fragment reassembly occurs before the INPUT chains (and even before PREROUTING chains - except the 'raw' table - when conntrack is enabled), so there are no fragments there. > But nmap scan on the server makes apache connection running on it super > slow !!! > If I stop the scan apache again become normal. > Is there any trick to keep the connection normal even with scanners are > doing their job ? Please suggest how to cope with it. Make an exception to the syn flood protection for TCP port 80 (or any port apache listens on), with at least a much higher limit than 1/s. How high ? Well, as high as your system can take without choking. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
