With current iptables rules packets that don't fit in the netfilter queue are automatically accepted. I think that the default should be exactly opposite, or at least configurable, for serious use.
E.g. the following happens on my test system even if I don't respond to the UI. Obviously it's possible to open new connections even faster:
for n in `seq 1 10000`; do echo wat | nc localhost 1234 & done
karol@omoikane karol% nc -k -l 1234
wat
wat
wat
wat
wat
...
evilsocket
commented
7 years ago
With current iptables rules packets that don't fit in the netfilter queue are automatically accepted. I think that the default should be exactly opposite, or at least configurable, for serious use. E.g. the following happens on my test system even if I don't respond to the UI. Obviously it's possible to open new connections even faster: