Hello all, Sorry for the long post, but I really have a no idea anymore ... I'm still having problems with "neighbour table overflows" when we use iptables 1.2.7a and kernel 2.4.19 form SuSE 8.1 original distro. The PC is working as firewall/proxy between a LAN (10.104.0.0/16), an intranet (10.101.0.0 - 10.107.0.0/16) and the internet, which we can only acces through cascaded proxies at 149.206.x.y. I thought last week that we solved it, when our cisco found "incomplete" TCP connections and we switched network cards, but the problem keeps coming back. We even switched the complete machine in the meantime. Today we have the situation as follows: One of the other participants in the intranet got the blaster worm in their net, they are still struggling with this. So we get bombed with tons of connections on port 135 from their destination, when the worm(s) scan our net. This fills our arp table / ip connection table with some 17.000-20.000(!) connections in "half open" state, the kernel then throws thousnads of messages like "Neighbour table overflow" and "neighbour table flood" at high rates. When memory is filled, the network services on this box simply stop working. I would call this a classical DOS attack, but what can I do against it ? I already drop all relevant packets from that source, I would have thought that the iptables / kernel code could manage this traffic (sitting behind a 2 MBit link with a PIII-500 / 256 MB RAM) Here is what I do against the most common "attacks" # NETBIOS # run_iptables -A common -p udp --dport 137:139 -j reject run_iptables -A common -p udp --dport 445 -j reject run_iptables -A common -p tcp --dport 139 -j reject run_iptables -A common -p tcp --dport 445 -j reject run_iptables -A common -p tcp --dport 135 -j reject ############################################################################ # UPnP # run_iptables -A common -p udp --dport 1900 -j DROP ############################################################################ # BROADCASTS # run_iptables -A common -d 255.255.255.255 -j DROP run_iptables -A common -d 224.0.0.0/4 -j DROP ############################################################################ # AUTH -- Silently reject it so that connections don't get delayed. # run_iptables -A common -p tcp --dport 113 -j reject ############################################################################ # DNS -- Silenty drop late replies run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP Any helping tip is welcome, Philipp