I am deploying boxes into unfriendly networks and cannot count on firewall protection. The servers are linux 2.4 and I have wrapped them tightly in Netfilter (iptables). The only chink, if you will, is the protection against SYN flooding. I see 2 solutions and would like the forum's input. The first is using syncookies and the second is Netfilter's rate limiting. My impression is that syncookies require more overhead but would not drop legitimate traffic. OTOH, netfilter would have less overhead but may drop legitimate traffic when the threshold is triggered.
Regards, John Coke