I think the mirror target extension for iptables is rather amusing. Any problems people see before I make all unmatched packets (ie policy) mirrored, instead of dropped? I suppose someone could intentionally send me spoofed packets saying they are 'from' someone. Then my system sends them back to where they came 'from'. The result is a bounced attack? Is there a safer way to do this, or is dropping the packets the best? Does rp_filter protect against this? Thanks, Cory