Early in my foward chain I have accept all RELATED, ESTABLISHED. This allows anything that is part of an established connection. Is this a security threat.? The reason I put this rule early is also early I want to -A FORWARD -i $EXT_DEVICE -d 192.168.10.0/24 -j DROP that is not let any thing be forwarded to my internal net. But this rule blocks responses pinging to the outside from the inside.. The RELATED,ESTABLISHED rule lets traffic initiated on the inside work. ALSO, I don't understand why this rule: -A FORWARD -i $EXT_DEVICE -d 192.168.10.0/24 -j DROP was blocking responses to NATed requests. When the responses enter the router, there dest is the external interface. This DROP rule would only have affect AFTER NAT mangled the packet. But a NATed packet, of course I want to ACCEPT. Can anyone clear up the flow for me? ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html