hi, I read in the iptables manual [in the Appendix B. Common problems and questions ]that the NEW state match may accept any packet marked as NEW whether it has syn bit set or not. it says "If you use state NEW, packets with the SYN bit unset will get through your firewall" so in short it means anything marked NEW is passed thru irrespective of whether syn is set or not OR maybe any other bit is set My question is if i am having a single firewall with deny all policy and wanting to accept only new connections for ip's or services like ssh,smtp etc what shld be my rule - a) iptables with --syn OR b) iptables with --syn + NEW OR ONLY c) iptables with NEW what is the recommended rule for a restrictive firewall? I guess option a) is the best one. But it shld not lead to a lot of connection drops as NEW allows timed out connections if the connection is not closed. Please suggest the best practice. Secondly if i want to limit ssh connections for syn flood protection what is the recomended limit and limit-burst values. thirdly if i want to limit ping for ping flood protection what is the recomended limit and limit-burst values. Please suggest the best practice. Thanks & Regards, sub __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com