>> > Could you post /etc/sysconfig/iptables? >> /etc/sysconfig/iptables doesn't necessarily reflect what is running >> right now, and you can't include the counters with it. > I'm not interested in the counters I want to see how the rules are I think he's trying to tell you that any changes made since the *last* write to /etc/sysconfig/iptables won't be reflected in that file. Or rather, what if that file has been written to, but not read from? The fact remains that "iptables -L" is more useful because it is a live state. In fact, I've got a few machines where all my rules are only kept in running memory. They're all activated/reactivated/modified using scripts. No state is stored on disk. > [snip] > Chain RH-Firewall-1-INPUT (2 references) > target prot opt source destination > ACCEPT all -- anywhere anywhere > [/snip] > What are we accepting here? All packets? If this is the case then there is > no need for the rest of the rules in this chain. depends on the INPUT rule that references this. but yes, once a packet has been filtered to get here, then it will be accepted. see? you can read this output. -- Spiro Harvey Knossos Networks Ltd 021-295-1923 www.knossos.net.nz