> Would it be safe to set the OUTPUT default policy to ACCEPT? > Every time I set it to DROP I get locked out, I suppose it > has to do with the fact that I have no rules for the OUTPUT chain. A lot of people set OUTPUT policy to ACCEPT. You can always do something like : $ipt -P OUTPUT DROP $ipt -A OUTPUT -p tcp --sport 1024: -j ACCEPT $ipt -A OUTPUT -p udp --sport 1024: -j ACCEPT $ipt -A OUTPUT -p icmp -j ACCEPT This way a program cannot pretend to something like a web- or mailserver. If you check "/proc/sys/net/ipv4/ip_local_port_range" you see the local portrange (sport) your box will use. You can use this range in your rules. E.g. you could use "32768:61000" (if that is your range) instead of "1024:". Gr, Rob
