Hi, > hi, when i set the INPUT policy of DROP and then insert a rule -A > INPUT -s lan-machine -j ACCEPT ,the lan machine normally must be > able to ping the firewalled machine? you are perfectly right with this, the "lan-machine" will be able to send a ping request (or anything else) to the firewalled machine and it will be accepted. If you don't get any answers from the firewalled machine this might be caused by the OUTPUT chain dropping the answers of the firewalled machine. To see ping (and everything else) working you have to ensure both: - The requests reaching the firewalled machine (as you actually did) - The answers being able to leave the firewalled machine > with this syntax the -p option is default set to "all". so icmp is > also under "all" to find ,or i am wrong? No, you are not wrong. This is perfectly right. Regards Alex
Attachment:
pgp3LT1UOvGYj.pgp
Description: PGP signature