Hi there, On Tue, 31 Aug 2010, mc0fred wrote:
> On 08/31/2010 08:59 PM, G.W. Haywood wrote: > > > Why not just '/sbin/iptables -j DROP' the incoming packets at the firewall? > > ... > > The firewall still needs to spend cycles processing the incoming packets > to determine if it should be dropped. This is the issue. I suspect the problem is more likely to be associated with maintaining state than with the number of packets per second. Not many firewalls can't handle 4kpps, but you can easily fill the conntrack table if you aren't careful. If you drop all incoming packets from that source you won't be maintaining state for it, and the problem will most likely go away immediately. -- 73, Ged. _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
