since i am dropping all sync packets , there wont be any connection ins SYNC ACCEPT state ( netstat ) . On Sat, Feb 27, 2010 at 12:39 PM, <lists@xxxxxxxxxxxxxxx> wrote: > On Sat, 2010-02-27 at 11:05 +0530, ratheesh k wrote: >> iptables -A INPUT -j DROP . >> iptables -A OUTPUT -j ACCEPT >> >> When i syn flooded my desktop . I can see all pkts are getting >> rejected by the rule . But system becomes slow beacuse of this . Is >> there any way to make system fast ? will black listing will help ? > > IIRC syn_cookies were meant to deal with that. > > echo 1 > /proc/sys/net/ipv4/tcp_syncookies > > http://www.securityfocus.com/infocus/1729 > http://www.unixresources.net/linux/lf/57/archive/00/00/09/85/98546.html > > > -- > Rob > > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
