> On the other hand, if there is not yet a conntrack record in existence > for the packet, the nat PREROUTING table is consulted
Patrick I appreciate all your help and after thinking about this on my vacation last week I think I got it now thanks to your feedback! Can I ask you few questions to verify I got what you said regarding how a private LAN can use DNS, HTTP, SMTP, etc. thru an SSH-only firewall?... My main confusion I believe was that packets associated with preexisting conntracks are handled differently than packets *not* associated with a previous conntrack. Q1: The conntrack is the "memory" of netfilter that allows it to make decisions based on "history" of PC traffic right? Q2: Packets with a previous associated conntrack are handled *differently* than ones without previous conntrack... and any attempt to try to understand behavior of firewall *without* this concept is doomed to confusion right? Q3: Is conntrack a new "iptables only" feature? I imagine ancient ipchains/ipfwadmin would have had same issues and therefore would need something like "conntrack" to work correctly right? Sincerely, Chris -- _______________________________________ Dr. Christian Seberino SPAWAR Systems Center San Diego Code 2363 53560 Hull Street San Diego, CA 92152-5001 U.S.A. Phone: (619) 553-7940 Fax: (619) 553-2836 Email: [EMAIL PROTECTED] _______________________________________
