i only partially recall a very recent query involving filtering incoming FTP requests through a firewall to an internal LAN. i wasn't surprised to see that DNAT was part of the solution, but i also recall that it didn't seem that the firewall was actually doing any filtering, just DNATting. just from memory (and i could be wrong), i got the impression that it was being left to the internal hosts to do that actual filtering. i'm assuming that it would be possible to do both the DNATting and filtering at the firewall with DNAT and the FORWARD chain of the filter table, no? rday p.s. i apologize if i'm misremembering this, and that the solution posted did indeed involve filtering on the FORWARD chain.
