Hi All If prerouting is the first rule a packet touches when arriving at the firewall, why then do we not set the default to DROP here and allow through what we need. That is if you are running a nat environment. Then if a packet makes it through the PREROUTING, you can pass it to the INPUT rule base if it is for the firewall machine itself or to FORWARD if its for the LAN for example. Making the default DROP for both the above, and allowing specifics again. Thanks for any comments offered... Stuart
