> you may also want to rate limit the number of attempts from the > same IP to connect to SSH or you WILL get hammered. If you > search the archives I think *Joanne Dow* posted an example of > how to do so. If you don't need everyone to be able to reach the ssh port, you can lock the source IP's that must be able to reach the SSH port down to only the ones that should be able. Also/or, you could create 2 sshd_config's (with of course 2 separate sshd's on the inet and lan/dmz interfaces) and configure the inet sshd to only accept a pubkey instead of password authentication. It isn't too hard to do and you're rid of password guessing attacks. Grts, Rob -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html