Hello Rob,
On 08/12/2013 03:41 PM, /dev/rob0 wrote:
On Mon, Aug 12, 2013 at 01:28:59PM -0600, Alex Flex wrote:
Iam working with a stateless firewall to help keep up with DoS
and a state flood. I have a few doubts about my setup:
What is a "state flood"? Why do you think a stateless firewall is
superior, or even desirable?
With a state flood, i meant a syn flood for example. My experience has
taught that small bandwith attacks (those that my uplink stands) are
done based on my state table reaching its limits.
Knowing this, do you think I should have taken another approach?
Is there anyway I can assign conntrack resources per chain, this would
greatly help at isolating damage.
The OUTPUT deny is a paranoid method to have a more complete
understanding of that traffic and future applications cannot misbehave
so easily. It is not meant to guard from ssh users.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
