Hello, I'm considering allowing inbound traceroutes to find me, in the interest of being a good Internet citizen. I could simply open the right udp ports, but i'd rather more tightly control what's allowed than simply opening them up entirely. Thus I'm considering something like the following. Should it meet my expectations of responding appropriately to traceroutes but otherwise not letting traffic through? -A INPUT -p udp --dport 33434:33534 -m ttl --ttl-eq 1 -j REJECT --reject-with icmp-port-unreachable I'm using ttl-eq 1 because that's the lowest TTL that showed up in my netfilter logs when I tried to traceroute my machine earlier. In other words, I don't think I should use 0, but am willing to be convinced otherwise. Also, I'm a little unsure if I should be using another ICMP code when I send the REJECT packet. But port unreachable seemed reasonable. =) Thanks! --Mike -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html