Hi All, Just wondering what others do when it comes to jumping to new chains from the forward chain for protecting services running behind your Mikrotik running as a firewall. We typically jump to a new chain for stuff like SMTP servers or Web servers and then filter based on protocol and port within that new chain to protect boxes, then drop anything that doesn't match. Some people add an accept rule at the top of each of those chains for related and established connections, some people add one at the beginning of the default forward chain, what are peoples thoughts on the pros and cons of doing this in any way mentioned ?, are there any risks doing one way or another or should you just stick to allowing only the trusted ports and protocols through in each relevant chain rather than anything that's already been allowed previously ? I'm interested in peoples thoughts on this Thanks Paul