On Tue, 2005-03-22 at 12:23, Toby wrote: > That's why I put it in the nat table in the first place and it's exactly > what makes it easier and shorter. > > If you look at my two examples you'll see that ESTABLISHED,RELATED are > always accepted no matter what--and frankly I don't see a reason to do > otherwise, even on production firewalls. > > So the only difference I see in my two examples regard --state INVALID > packets. Are they a security problem? Do they ever show up? > If that's really the only difference, I could put a --state INVALID -j > DROP in filter or mangle and keep on filtering in the nat table. > > Is there any other difference? yeah--don't filter in nat. -j -- "I'm a well-wisher, in that I don't wish you any specific harm." --The Simpsons
