> > No. If you drop packets randomly you will break existing connetions. > > No you won't. Not on a working (read: bug free) TCP stack you won't > anyway. TCP was designed to handle unreliable networks where packet > loss happens. If dropped TCP packets broke connections, the Internet > would break. It simply would not work -- at all. The Internet is > chock full of networks that drop packets, both occaisonally and > frequently. Oh, i am well aware of that. Pardon me for badly expressing my thoughts. But if the author dropped the packets of existing connections, he would cause increased latency, decrease throughput, cause the connections to stall in case of bad handling by the applications. That really is BAD.
> > If you drop incomming SYN packets, > > it is okay, > > This is NOT OK. If you drop incoming SYN packets you will prevent TCP > connections from getting established. Don't you think we all know that? I wrote OK, because it is a way of limiting NEW connections using: iptabl .... -p tcp --dport 22 --syn -m iplimit --iplimit-above 3 -j REJECT --reject-with tcp-reset That's a fine way to limit new connections. I guess you are trying to make enemies and grab on to anything just for a fight. I am not going to let myself in, sorry. Have a nice day, Maciej Soltysiak