If table 2 contains a blacklist, why not deny traffic at the top?
Why are you silently dropping fragmented TCP packets? This will break
Path MTU discovery.
Why do you have a check-state rule after rule 500? That's backwards.
You might consider putting check-state at the beginning.
You don't wan
Sorry, revise my remarks about path mtu - pre-coffee. But you don't
really want to drop those explicitly, at least not silently. Let TCP
take care of it.
Also, if you want to permit ICMP, you should probably restrict it to
reasonable icmptypes (echo, echo reply, error need-frag, etc.)
On Wed, J
