On May 5, 2010, at 9:54 AM, Boniforti Flavio wrote: >> Don't know if this is going to work, but if it does, rules >> similar to these may solve your problem. With no proxy whinage. > > This *is* going to work Thanks for that. Now I know that if it doesn't, it's my implementation, not the design... > I did such setups too, some years ago. The fact > is, that similar solutions require some more intervention, because (as > you might know) every day a new software/tool/internet application needs > to be used (and it is FOR SURE that it HAS to be used, for working > purposes, not for joke)... This would mean, adding rules from time to > time... It would indeed. One of the delights (IMHO) of iptables is local chains. My packet filter will have special chains for stuff. So when a new rule LAN to NET rule is needed, "iptables -A LANtNET -p <...> --dport <...> -j ALLOW" is all that's needed. Actually, that'd go into the shell script that builds the filter. > Good luck, but still I confess that I *may be* switching to this your > suggestion too! ;-) Use default deny and break up the logic into chains (within reason). Makes things a lot easier to maintain. Did for me, anyway. -- Glenn English ghe@xxxxxxxxxxx