On Sunday 31 August 2008 22:31, Joseph L. Casale wrote: > >We should be talking live. Why don't your join the #centos-social on > > freenode so we can chat real time? > > Robert, > Just got back from my trip and reading that Tutorial, it went on to state > what I now find to be two distinct opposite thoughts. Its says at > http://iptables-tutorial.frozentux.net/chunkyhtml/c962.html that you > shouldn't filter in the NAT Postrouting chain as some streams of packets > only have their first packet hit the chain and everything else is > redirected hence the possibility exists that some packets can miss the > rule. > > It seems the Filter Forward chain is the safest place to limit what gets > masq'ed so internal clients could only have say port 80/443 but no ftp > access as an example. That is correct. The only thing that should hit the NAT chain is what you have already decided should be allowed out. -- Regards Robert It is not just an adventure. It is my job!! Linux User #296285 http://counter.li.org