After reading the ICMP state machine section of the Netfilter tutorial [http://iptables-tutorial.frozentux.net/iptables-tutorial.html#ICMPCONNE CTIONS] it appears that ICMP traffic related to existing TCP and UDP connections falls under the RELATED,ESTABLISHED rules. So someone correct me if I'm wrong, but this means that any valid ICMP error message would get picked up by a '-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT' at the start of the chain, and so (as lst_hoe01 stated) allowing type 8 is all you really need to do, correct? (and a little reading goes a long way... =) Thanks, Derick Anderson
