> $ipt -t filter -A OUTPUT -o $extif_name -p udp -d 192.168.1.255 --dport > 137:139 -j DROP #NETBIOS > > $ipt -t filter -A INPUT -i $extif_name -p udp -d 192.168.1.255 --dport > 137:139 -j DROP #NETBIOS > > $ipt -t filter -A FORWARD -i $extif_name -p udp -d 192.168.1.255 --dport > 137:139 -j DROP #NETBIOS > > $ipt -t filter -A FORWARD -o $extif_name -p udp -d 192.168.1.255 --dport > 137:139 -j DROP #NETBIOS all these rules block are UDP 137-139 to the specific broadcast address on your internal LAN. while this is nice for tidying up your logs; i *believe* the original poster was looking to keep netbios-related traffic from leaking out to the internet. in which case, my recommendation is: -A FORWARD -o $external_if -p udp --dport 137:138 -j DROP -A FORWARD -o $external_if -p tcp --dport 139 -j DROP -A FORWARD -o $external_if -p tcp --dport 445 -j DROP two notes: all the examples are using "-A." keep in mind that if you already have some kind of "allow everything on the inside out" rule, these will never get matched. in such a case, you would need to "-I FORWARD x" where x = the numnber of the "allow everything out" rule. it gets mentioned all the time on this list, but hey--you can never get too much of a good thing, right: the best way to design your firewall rules is to start with a default drop, and then just allow the specific traffic that you need. it may take slightly longer to get it setup initially, but requires much less care & feeding in the long run. -j
