Pascal Hambourg schrieb:
It depends on your needs.
The state NEW doesn't work for my apache server, only the --syn flag. It seems that many packets on my server wouldn't catched from the NEW rule, because my server thinks they are not NEW. The clients still want to establish a connection, but my server only let NEW packets in. If some of my frineds want to connect several times, or when the first packet doesn't fit up with my rules. Then they fall in my blacklist and i got problems. :-(
So it is better to set up a rule with the --syn argument combined with the hashlimit extension, to be save against syn flood attacks.
What do you think? regards markus -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html