On Monday 24 February 2003 11:06 am, Kelly Setzer wrote: > I've been experimenting with gShield trying to learn the ins and outs > of iptables. One of the rules is generates is: > > iptables -A INPUT -s 192.168.6.0/24 -d 192.168.6.0/24 -i eth1 -j > ACCEPT > > The source and dest are correct for my internal network, and eth1 is > the internal net. My question is, when would the firewall ever see a > packet that could possible match this? Any packet with a source and > destination on the same network would send the packet directly (no > routing, thus no firewall). > > What am I missing? What's the IP of eth1? This is the INPUT chain, so it's for traffic targeted at the firewall box itself. Having a destIP listed with a /24 is a little odd, though, unless you are DHCP assigned IP or some such where it won't know the IP when the rule is generated, or it may change. j > thanks, > Kelly