Jason Opperisano wrote: > On Tue, Mar 22, 2005 at 05:06:39PM +0100, Toby wrote: > > Dear netfilter users, > > > > I've found it handy to put filtering rules in the nat table, > > do *NOT* filter in the nat table. only --state NEW packets ever > traverse the nat table. That's why I put it in the nat table in the first place and it's exactly what makes it easier and shorter. If you look at my two examples you'll see that ESTABLISHED,RELATED are always accepted no matter what--and frankly I don't see a reason to do otherwise, even on production firewalls. So the only difference I see in my two examples regard --state INVALID packets. Are they a security problem? Do they ever show up? If that's really the only difference, I could put a --state INVALID -j DROP in filter or mangle and keep on filtering in the nat table. Is there any other difference? Toby
