I have noticed a problem with the ipmasq package, by default it sets all chain policys to DENY, however I have noticed that when my modem connection drops out and I get a new IP address upon reconnect any ssh or irc connections i had going on machines behind the firewall completely hang, for a very long time (especially ssh).
I just now looked in the logs on the firewall and found it DENYing outgoing connections on port 6667 and 22 because the IP address had changed the rules I presume. would it not be better to set the output chain policy to REJECT instead of DENY? this way a destination unreachable should be sent back to the disconnected irc and ssh programs and they should no longer hang.. I have not tested this assumption yet, I was wondering if there is any reason for the output policy to be DENY rather then REJECT? thanks. -- Ethan