Why not just write the lines like this? iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/m -j ACCEPT iptables -A INPUT -p icmp ! --icmp-type 8 -j ACCEPT (I think that is where the ! sign would go.) This way if your default policy is deny you would still deny icmp-type 8 packets but allow the rest. This has also shortened your rule set by one rule and in my opinion made it much easier to understand to any one else trying to look at the rules. - Nick Edens Checker Distributors T.J. Eckleberg (9/17/01 2:28 PM): >Deve Vehrs Wrote: >>>What about this combination? > >>>>Rob 'Feztaa' Park Wrote: >>>>* iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/m -j >ACCEPT >>>>* iptables -A INPUT -p icmp --icmp-type 8 -j DROP >>>>* iptables -A INPUT -p icmp -j ACCEPT > >>>Not every DROP after assigning the default policy is pointless. Many >>>times they are required to implement complex rule sets. > >Granted. I think this falls into wanting to do something different to >the datagram (ie. let some in but drop others) as orignally stated. > >Joel T. Osburn >WBGS Architecture & Planning, PC >(541) 342-7291 >
