I often do it just to be thorough... I'm only human after all. Bob -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx]On Behalf Of Technical Sent: Thursday, January 22, 2004 4:48 AM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: could someone translate these rules inot plain english > Technical wrote: >> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > For this chain (presumably packets inbound to the network), accept any > packets that are part of established TCP connections (ie: a SYN packet > for the connection has gone out from the network), or related to UDP > packets that have gone out through the firewall. > >> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > > Otherwise, reject the packet by sending back an ICMP message telling the > remote host that communication with its intended target is > administratively prohibited. > > > HTH > Alex Satrapa > > If the default is that iptables to reject all packets that cannot not be deall with any of the previous rules, why would somemone use the last rule?? am I missing something??