On Mon, Jun 21, 2010 at 22:58, Curby <curby@xxxxxx> wrote: > > On Mon, Jun 21, 2010 at 6:02 AM, Pascal Hambourg > <pascal.mail@xxxxxxxxxxxxxxx> wrote: > > Because your rule limits packets, not connections. A single TCP > > connection involves multiple packets. > > Yes, the stateful features of netfilter would be useful here. Drop > the INVALIDs, accept the ESTABLISHED,RELATED, drop NEW not SYN > packets, and your match will mostly match valid new connection > attempts. This could be further improved by detecting and dropping > port scans, as Jan wrote about. > > This prevents the 1000/day rule from matching packets for ESTABLISHED > connections and for spurious packets that should be ignored. > > --Mike Thank your very much, ill try it later .Thx a lot -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
