On Mon, Dec 10, 2001 at 01:21:15PM +0000, Tim Haynes wrote: > Ultimately, I want input & forward to be drop-by-default. However, the > `block' chain is meant to be good for both input & forward scenarios; it > has rules for stateful filtering and `open' things, then a drop & log. If I > put in a rule matching -i and/or -o as appropriate, it still doesn't seem > to work. Maybe I've done something wrong (and I don't really want to post > ork's firewall in any more detail). > > What about if I kick *all* packets from forward onto `block', though? > That's the bit I'm not wholly happy about. > I think you are better to break your rules up into separate connection orientated rulesets. I will reply off list with more details as this is getting a little off topic now. Cheers. Mark.
Description: PGP signature