Hi, I have asked this on the Firehol lists, but got no response. Hope you can help. I am using kernel 2.6.6 and have firehol setting up a firewall on the gateway machine with eth0 LAN, ppp0 dial-up link. NAT for hosts on LAN If the ppp link is down and a host on the LAN sends a packet destined for the outside world, the icmp-unreacahble packet does not get returned, so the LAN host has to wait to time out. The offending command issued by firehol seems to be: iptables -A OUTPUT -m state --state INVALID -j DROP Although the comment says this is recommended in the Netfilter HOWTO, I cannot find it. I can get round it by adding iptables -I OUTPUT 2 -m state --state INVALID -p icmp --icmp-type destination-unreachable -j ACCEPT which inserts the ACCEPT before the DROP above and means that hosts on the LAN get an immediate icmp reply "destination-unreachable" if the ppp link is down. Is this wise? secure. Am I missing something. Thanks for your help Mark
