HA firewall (conntrack-tools)
On 22 June 2010 15:33, James <email@example.com> wrote:
> Look here:
> Is anyone doing this, and willing to share configs, answer questions,
> or point to other examples?
> Lots of new kernel stuff for ip tables, since I sank deeply into the
> abyss of minutia of IP tables. Further reading references on how to
> build an HA or fail-over firewall are most welcome.
I can't add anything about conntrackd, because I have not used it, but
I'd recommend to use the limit module and set it to something sensible
(e.g. 3/minute) when logging invalid packets, if you want to avoid
bogging down your fw. So use something like:
-m limit --limit 1/minute
You could also add --limit-burst in the same fashion again to limit
DoS attacks, at least on the Internet facing NICs/ports.