Hello, Could someone help me to explain what does the conntack module do in TCP connection negotiation in the following three cases: (host N is behind the NAT and host P is on the other side of the NAT) A: P sends a SYN to H and H replies with an SYN-ACK with an invalid sequence number (If this passes normally through is it possible to filter it out?) B: P sends a SYN to H and H replies with non SYN-ACK (3-way-handshake) or SYN (TCP simultaneous open) package C: If the "--random" option is given to the postrouting chain, what happens if the clients use up all the ports? Many thanks, Denes Nemeth -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
