I don't know what either you or the parent are talking about. The OUTPUT chain is ONLY useful for filtering when: 1. The machine runs services as an account other than root; in which case, default-accept is still ok in my book, just filter the uid of the service. 2. You don't know how to work with inbound packets 3. The machine is a multi-user access server 4. The machine is a workstation INPUT and FORWARD should be you're gatekeepers. I would shy away from filtering in PREROUTING as it gets messy to track before DNAT / REDIRECTing. My corp. firewalls: INPUT: 10-20 rules, FORWARD: 75-200, OUTPUT: 0 My Home firewall: INPUT: 7 rules, FORWARD, 8 rules, OUTPUT: 0 In conclusion, it is all up and fine to use OUTPUT filtering if you really really want to, but I fail to see how enforcing OUTPUT filtering helps to secure a network as long as the Linux firewall is stand-alone. For a userspace tool like ZoneAlarm, and Norton Internet Security, there is currently no mechanism to trap/query users based on outgoing packets. When that technology is developed for Linux, you'll really see the benefits of OUTPUT filtering.
