I've seen through the tutorial of Oscar Andreason. Out of my firewall book (and I think the howto's from Russel too) is this rule: iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP The allowed chain of Oscar Andreason describes this: # # allowed chain # $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP Does this the same or might it be a good idea to add a rule to DROP packet's NEW,INVALID like above for INPUT and FORWARD and the device eth0 ? -- Best Regards, Mark
