hello; reply below. On 6/20/05, /dev/rob0 <rob0@xxxxxxxxx> wrote: > On Monday 20 June 2005 11:17, terry l. ridder wrote: > > while i have reservations concerning posting the output of > > iptables-save i have placed it on my web server: > > > > http://204.238.34.206/iptables-save-20jun2005.txt > > Yikes, this is very long. First, I see that you're doing all your > filtering in nat, PREROUTING and POSTROUTING. Why? > because that is the way i know that works. it has worked fine for many years. it was not until i upgraded the firewall machine (new computer with debian sarge) that iptables began to leak. > > I prefer to do filtering in the filter table as $DEITY intended. :) > <major sniip> one of the reasons for using table nat is to dnat all ip addresses with destination port 25 (smtp) to the mail server, 204.238.34.206. connection tracking is turned off since at one time i was using tarpit instead of just dropping the connections. tarpitting all of lacnic, apnic, a large portion of ripencc, and a large portion of arin became boring. now i just drop the connections. i have added logging on both the firewall box, 204.238.34.232, and the mail server, 204.238.34.206. both boxes will be logging the leaks. -- terry l. ridder ><>