On Mon, 13 May 2002, sim ton wrote:
> i wanna be protected against syn flood attack ... ok ...
> but i don't really know what is the best solution :
> iptables -A FORWARD -p tcp --syn -m limit --limit 1/s ACCEPT
> # Enable TCP SYN Cookie Protection
> #echo 1 > /proc/sys/net/ipv4/tcp_syncookies
> are there the same or not ???
No, they are not the same. The iptables rule you specify limits your
system to accepting one connection per second, a fairly small number.
The SYN cookies activation allows your system to accept an unlimited
number of TCP connections while still trying to give reasonable
service during a denial of service attack.
The second is the preferable technique.
 For values of unlimited up to those supported by the software and
I have never seen a bad television program, because I refuse to.
God gave me a mind, and a wrist that turns things off.
-- Jack Paar
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com