Hi there, I want to be able to restrict what traffic leaves an interface, if the traffic was initially created on the Vyatta box.. So, in our case, it's mainly being used as a VPN end-point, for the internet-exposed side, to help protect against 'nasties' we want to restrict what the actual router can do itself. DNS servers are internal, so no worries there. I've created rules to allow ICMP, NTP and Package Upgrades out. I've also created a rule to deny all other traffic that has a source address of the interface address on eth0. The problem is that when this firewall is applied to the "out" direction of the eth0 interface, nothing seems to trigger logging, other than traffic that the router is NAT'ing for. Am I missing something obvious here? Code: firewall { broadcast-ping disable name dmz-rtr { ************ } name frm-dmz { ************ } name frm-off { ************ } name off-rtr { ************ } name rtr-dmz { rule 20 { action accept description "Allow Router to query NTP server" destination { address ************ port 123 } log enable protocol udp source { address 212.23.0.229 } } rule 30 { action accept description "Allow Router to get package upgrades from vyatta" destination { address 76.74.103.38 port 80 } log enable protocol tcp source { address 212.23.0.229 } } rule 900 { action accept description "Allow all ICMP" log enable protocol icmp } rule 1000 { action drop description "Block all other router initiated traffic" log enable source { address 212.23.0.229 } } rule 1001 { action accept description "Default Allow All" log enable } } } interfaces { ethernet eth0 { address 212.23.0.229/28 firewall { in { name frm-dmz } local { name dmz-rtr } out { name rtr-dmz } } hw-id 00:50:56:87:6e:35 } ethernet eth1 { address ************/24 firewall { in { name frm-off } local { name off-rtr } } hw-id 00:50:56:87:03:70 } loopback lo { } } protocols { static { route 10.1.0.0/20 { next-hop ************ { } } route 10.5.0.0/20 { next-hop ************ { } } route 10.8.0.0/23 { next-hop ************ { } } } service { https nat { rule 10 { description "No NAT for 10.x" destination { address 10.0.0.0/8 } exclude outbound-interface eth0 type masquerade } rule 12 { description "NAT for Internet" outbound-interface eth0 type masquerade } } ssh { allow-root true } } system { domain-name net.mgmt gateway-address ************ host-name OpenVPN login { user root { authentication { encrypted-password ************* } } user vyatta { authentication { encrypted-password ************* } } } name-server 10.5.0.1 name-server 10.5.0.2 ntp-server ntp0.***.co.uk package { auto-sync 1 repository community { components main distribution stable url http://packages.vyatta.com/vyatta } } syslog { host 10.6.1.2 { facility all { level info } } } } Thanks in advance! source: http://www.vyatta.org/forum/viewtopic.php?t=3478