Hello Everyone, Thank you so much for your responses. I agree Alan, total pain in the neck!!! But it's a ticket that was passed down to me. We moved the stateful firewalls inside the network, broken down to each department.
But as a first on site defense on our BGP router running Quagga, we only require stateless for performance reasons. Jerry, thank you so much! I might need some additional help with the three way handsahkes. What I did to stay scalable was: Define a chain: -N TCP Handle two way for a specific service: -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5 --dport 22 -j ACCEPT -A TCP -p tcp -m tcp -s 192.168.2.5 --sport 22 -d 192.168.2.0/24 -j ACCEPT -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP Accepting Input and output requests to services included in the chain: #echo -e " - Accepting input TCP traffic to open ports" -A INPUT -i $INTIF1 -p tcp -j TCP #echo -e " - Accepting output TCP traffic to open ports" -A OUTPUT -o $INTIF1 -p tcp -j TCP Dropping Everything Else: #echo -e " - Dropping input TCP to closed ports" $IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst #echo -e " - Dropping output TCP traffic to closed ports" $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst #echo -e " - Dropping input traffic to remaining protocols sent to closed ports" $IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable #echo -e " - Dropping output traffic to remaining protocols sent to closed ports" $IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable Hope this keeps me scalable enough to keep the world of pain at bay as much as possible... N.