Thanks Michael. You're right, 4x. Below is the iptables-save output followed by the -L output. The -L output incorrectly puts the source and destination as "anywhere", when in fact it's just open for lo. Is this a bug or a "simplification"? Thanks, John > On Fri, 4 Jul 2003 13:01:14 -0400, John Meagher wrote: > > > [root@xxxxxxxxx sysconfig]# iptables -L > > You'll find that the output of "iptables-save" is much more > readable and complete. If I had to use "iptables -L", I would > add option "-v" (--verbose). But iptables-save is great. > > > 1) Why does Lokkit put that first rule in there? And since it's there, > > why doesn't it work? > > Shouldn't it cause the rest of the rules to be ignored? > > "iptables -L" usually does not include enough details. > > > 2) Why does a second, identical rule get honored, (i.e. the firewall is > > opened up) > > if I add it with "iptables -I RH-Lokkit-0-50-INPUT 1 -j ACCEPT" > > This may be a completely different rule. > > > 3) Lokkit uses options -p udp -m udp in the rules it puts in > > /etc/sysconfig/iptables. > > What's the -m option? There was a -m for mark in ipchains, but that > > doesn't seem relevant. > > - -m is short for --match, see "man iptables", MATCH EXTENSIONS. [root@xxxxxxxxx sysconfig]# iptables-save # Generated by iptables-save v1.2.7a on Fri Jul 4 14:36:46 2003 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2843:194407] :RH-Lokkit-0-50-INPUT - [0:0] -A INPUT -j RH-Lokkit-0-50-INPUT -A FORWARD -j RH-Lokkit-0-50-INPUT -A RH-Lokkit-0-50-INPUT -j ACCEPT -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT -A RH-Lokkit-0-50-INPUT -s 209.249.176.5 -p udp -m udp --sport 53 -j ACCEPT -A RH-Lokkit-0-50-INPUT -s 209.249.176.7 -p udp -m udp --sport 53 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable -A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable COMMIT # Completed on Fri Jul 4 14:36:46 2003 [root@xxxxxxxxx sysconfig]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Lokkit-0-50-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Lokkit-0-50-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Lokkit-0-50-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT udp -- monroe.patriot.net anywhere udp spt:domain ACCEPT udp -- jackson.patriot.net anywhere udp spt:domain REJECT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable REJECT udp -- anywhere anywhere udp reject-with icmp-port-unreachable [root@xxxxxxxxx sysconfig]#