| To: | Rusty Russell <rusty@xxxxxxxxxxxxxxxx> |
|---|---|
| Subject: | Re: [PATCH] Increased DoS protection. |
| From: | Lars Marowsky-Bree <lmb@xxxxxxx> |
| Date: | Fri, 28 Apr 2000 17:29:26 +0200 |
| Cc: | Andi Kleen <ak@xxxxxx>, netdev@xxxxxxxxxxx, netfilter@xxxxxxxxxxxxxxx |
| In-reply-to: | <m12lA8T-0005MFC@xxxxxxxxxxxxxxxxxxxxxxxx>; from "Rusty Russell" on 2000-04-28T22:14:43 |
| References: | <20000428095254.A875@xxxxxxxxxxx> <m12lA8T-0005MFC@xxxxxxxxxxxxxxxxxxxxxxxx> |
| Sender: | owner-netdev@xxxxxxxxxxx |
On 2000-04-28T22:14:43,
Rusty Russell <rusty@xxxxxxxxxxxxxxxx> said:
> You *could* figure out retroactively that the prior packet was
> out-of-window (handwave). But it's probably easier to live with the
> fact that connections tracked across reboots won't have the
> `DONT_KILL_ME_IM_A_GENUINE_CONNECTION' bit set, meaning they'll be
> the first up against the wall if we're under stress.
It appears perfectly reasonable to me that stateful connection tracking may
lose connections over a reboot. Yes, this is inflicting pain on the user, but
on the other hand, it is supposed to be a firewall which is blocking what
isn't allowed...
If you don't want that, don't use stateful filtering.
Sincerely,
Lars Marowsky-Brée <lmb@xxxxxxx>
Development HA
--
Perfection is our goal, excellence will be tolerated. -- J. Yahl
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: [PATCH] Increased DoS protection., Rusty Russell |
|---|---|
| Next by Date: | Linux2.2.12 and 2.0.36 TCP differences?, Liang Han |
| Previous by Thread: | Re: [PATCH] Increased DoS protection., Rusty Russell |
| Next by Thread: | [PATCH] Destructor patch for iptables, Rusty Russell |
| Indexes: | [Date] [Thread] [Top] [All Lists] |