> > > then the rules should have interface restrictions as well. do or do > > > not do, there is no try. > > > > Huh? If it's not an IP you assigned why let it out on any interface? I'm > > not sure I follow you here. > > sorry, i suppose i wasn't very clear--what i meant was...instead of > using a rule that says: > > iptables -A OUTPUT -s $LAN_IP -j ACCEPT > > restrict it by interface as well as by IP: > > iptables -A OUTPUT -o $LAN_IF -s $LAN_IP -j ACCEPT OK, now I see your point. > > this is all matter of opinion. i'm not trying to dictate anything here. The whole issue is essentially theoretical since changing IP addresses requires root access. If it ever gets to this you're only buying yourself a few minutes and an intruder would probably rather have the original functioning connection anyway. Jeff
