Haim Ashkenazi <[EMAIL PROTECTED]> writes: > if I'll patch "ipt_conntrack.c" in the kernel-source with that patch I > won't have to worry about the filtering in the PREROUTING chain?
You have to filter in the PREROUTING chain to protect the routing cache, otherwise the machine will die when flooded with packets with random source or destination addresses.
