Hi guys, I didn't understand the following question and answer on netfilter's faq: "3.18 Why isn't the 'iptables -C' (--check) option implemented? Well, first of all, we're lazy ;). To be honest, implementing a check option is almost impossible as soon as you start to do stateful firewalling. Traditional stateless firewalling bases it's decision just on information present in the packets header. But with connection tracking (and '-m state' based rules), the outcome of the filtering decision depends on header+payload, as well as header+payload of previous packets within this connection." First of all, what does they mean about "--check"? What would they check? What is "packet payload"? How does it make the "--check" option impossible to be implemented? thanks in advance, bruno negrao