Once again, thanks Anthony Correcting my mistakes right now Kind Regards Brent Clark -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx]On Behalf Of Antony Stone Sent: Tuesday, August 10, 2004 10:45 AM To: iptables Subject: Re: Ruleset On Tuesday 10 August 2004 9:27 am, Antony Stone wrote: > On Tuesday 10 August 2004 8:22 am, Brent Clark wrote: > > Hi all > > > > If possible would someone be so kind as to have a look at my ruleset and > > if possible, share some pointers. I have another linux box (Ip address > > 192.168.3.3, connected to eth1 on the FW) I have a lan (192.168.2.0/24) > > connected to eth0 For my internet handling I have a ppp connection. Im > > also currently toying with dyndns (ez-ipupdate). > > 4. Do you *really* want to allow *all* NEW packets from the Internet to the > DMZ, no matter what protocol they are? You might as well simply stick > your 192.168.3.3 machine on a public IP address with no firewall.... The above comment is not quite accurate - you are, of course, only DNATting packets to TCP port 80, therefore only HTTP should get through to the DMZ, however I would still recommend narrowing down the FORWARD rule just to make it obvious that's what's happening when you look at the filter rules, rather than having to refer to the nat rules to figure out what traffic is being allowed. In other words, make the ruleset slightly more obvious, so you don't make the same mistake I did, when you come to read the ruleset in 3 months' time :) Regards, Antony. -- People who use Microsoft software should be certified. Please reply to the list; please don't CC me.