> Just because of that I don't like dynamic IPs. But, are you using more > than one IP on that interface?? So, if you use more than one, there > are only one you don't know(probably), specify the rules for the ones > you know first!! > If you have only one IP address, try simply doing the rule for the > incoming interface and be happy ;) > > Another way is to set your after-dhcp script to reload your firewall!! That is no solution. it may be for your cenario but not for the most of people. Just think, if who makes the connection is a modem, and you have your *unix machine on nat, that won't work. Second, imagine that you have Fixed IP, and want to allow for a situation somebody that has a dynamic IP, and allow it with it's dynamic host, how would you? You wouldn't, the best was is to write some sort of script to check when the IP on the host changes, and remove/reinsert the rule with the dynamic host. For iptables to do a DNS query every time a packet comes, that's a disaster. But other thing cames in mind, when doing: "iptables -L" it does a reverse lookup on the IP's, is iptables doing a reverse lookup on every packet? or only when listing the rules? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html