In message <20001115154603.D4089@psuedomode> you write:
> I was DDoS'd today while away and came home to find the firewall unable to
> do anything network related (although my connection to irc was still
> working oddly). a quick dmesg showed the problem.
> ip_conntrack: maximum limit of 2048 entries exceeded
> NET: 1 messages suppressed.
> ip_conntrack: maximum limit of 2048 entries exceeded
> NET: 3 messages suppressed.
> ip_conntrack: maximum limit of 2048 entries exceeded
> NAT: 0 dropping untracked packet c1e69980 6 192.168.1.2 -> 206.251.7.30
> ip_conntrack: maximum limit of 2048 entries exceeded
> NAT: 0 dropping untracked packet c1e69b60 6 192.168.1.2 -> 206.251.7.30
> ip_conntrack: maximum limit of 2048 entries exceeded
Yes, I added connection assurance (which provides much more
intelligence about which connections should be dropped,
ie. established TCP connections get assured) in test6, for exactly
this reason.
Hope that helps,
Rusty.
--
Hacking time.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.tux.org/lkml/
