I would imagine the answer to this is yes, but I haven't found anything on the subject. If you wanted to limit outbound traffic for a certain port to certain group of servers is that possible? For example, can I create a group: MAILSERVERS = 192.168.0.25, 192.168.0.26, 192.168.0.27 and use that in a ruleset: -A INSIDE_ACCESS_OUT -s $MAILSERVERS -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT and then drop the rest: -A INSIDE_ACCESS_OUT -p tcp -m tcp --dport 25 -j DROP
