There are a bunch of kernel level filtering and routing 'setups' that are disconnected from the firewall (see /proc/sys/net/ipv4/) Including tcp_syscookies etc. -- jludwig <wralphie at comcast.net>