> if [ "$CONNECTION_TRACKING" = "1" ]; then > $IPTABLES -A INPUT -i $EXTIF -p tcp --sport 20 \ > -d <Internet Address> --dport $UNPRIVPORTS -m state \ > --state NEW -j ACCEPT > fi > $IPTABLES -A INPUT -i $EXTIF -p tcp --sport 20 -d <Internet > Address> \ > --dport $UNPRIVPORTS -j ACCEPT > $IPTABLES -A OUTPUT -o $EXTIF -p tcp ! --syn -s <Internet > Address> \ > --sport $UNPRIVPORTS --dport 20 -j ACCEPT > If I understand his thinking properly, this statement is supposed to > check to see if the "Connection Tracking" module of IPTABLES/ > NetFilter is loaded and if so, use the rule defined inside of the > if/fi section. But if the "Connection Tracking" module isn't loaded, Yes. But as Joel said : you have to set $CONNECTION_TRACKING to 1 in your script else it will never be executed. > the firewall will fallback to the rules that follow, allowing the proper > traffic to flow anyway. This is supposedly because the "Connection There is no fallback when $CONNECTION_TRACKING != 1 in this piece of the script. If $CONNECTION_TRACKING = 1 the if/fi gets executed, else not. The lines below if/fi will be executed regardless of the value of $CONNECTION_TRACKING. If there was a fallback for $CONNECTION_TRACKING, you would probably see an if/then/else/fi structure. Rob
