> Should you want to continue with your own tool, at least for IPv4, > consider using tables rather than a raft of rules. With tables, you need > only a single rule and it is there at boot time. Also, you might want to consider switching to pf which this functionality built-in. Jan