Hi there, Normally I think of firewalls as controlling packet flows that pass through it (for example:Internet to Intranet). Can netfilter also control traffic on the same subnet? Is this a typical thing to do, or is it more normal to deploy local hosted firewalls also on machines? Suppose I had the following set up: Internal Machines 1,2 and 3 are on the same subnet governed by the netfilter firewall. ---------- Machine1 Internet ------ Netfilter Firewall ---------- Machine2 ---------- Machine3 Suppose I don't want Machine1 communicating with Machine3. Assume eth0 is internal Netfilter interface. All machines are in the same subnet. The Netfiler Firewall can be considered to also have typical linux box with router capabilities. Is it normal to have the firewall restrict this kind of local subnet access even though it does not technically leave the network? Would the rules be as follows: iptables -A FORWRD -i eth0 -s Machine1IP -d Machine3IP -j DROP iptables -A FORWRD -o eth0 -s Machine1IP -d Machine3IP -j DROP iptables -A FORWRD -i eth0 -s Machine3IP -d Machine1IP -j DROP /* redundant to previous rules? */ iptables -A FORWRD -o eth0 -s Machine3IP -d Machine1IP -j DROP /* redundant to previous rules? */ iptables -A FORWRD -i eth0 -s anyIP -d anyIP -j ACCEPT /* allow Machine1 talk to Machine2 and vice versa. Allow Machine3 talk to Machine2 and vice versa.*/ iptables -A FORWRD -o eth0 -s anyIP -d any3IP -j ACCEPT /* allow Machine1 talk to Machine2 and vice versa. Allow Machine3 talk to Machine2 and vice versa.*/ -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html