Hello, I'm wondering about the practical difference between these seemingly equivalent rules (notice the module order): iptables -A INPUT -i eth0 -p tcp --dport 8140 -m state --state NEW -j ACCEPT iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 8140 -j ACCEPT [root@test1 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:8140 state NEW ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:8140 Rule 1: TCP --> state Rule 2: state --> TCP While I always use the form of rule 1 (filter first, then state NEW), I found some systems configured like rule 2 – which appears to have the same end result – and I wonder if rule 2 (state first, then filter) has any side effects or causes more overhead. Thanks for for any insight! Wouter -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
