I do wonder if replacing "--syn" with "--match conntrack --ctstate NEW" in the following rule /sbin/iptables-A OUTPUT -p tcp --destination-port 443 --syn --match connlimit --connlimit-above 100 --connlimit-mask 0 --connlimit-daddr --match limit --limit 1/second -j LOG --log-prefix " rule hit " makes any difference ? My goal is to be informed if there're over 100 new conenctions to remote *:443 addresses within a 1 second period. Furthermore are there any (/sys/ ?) files I could watch? Currently it seems that the rule misbehaves after a while. A restart of its appropriate iptable script every 10 min seems to help. -- Toralf PGP C4EACDDE 0076E94E -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
