This is my packet filter configuration:

Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- any any anywhere anywhere icmp echo-request length 128:65535
1789 586K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
7 1844 ACCEPT all -- lo any anywhere anywhere
42 2132 INPUT_DSL all -- ppp0 any anywhere anywhere
0 0 LOG all -- any any anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `KMF: '

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- any any anywhere anywhere icmp echo-request length 128:65535
0 0 DROP all -- any any anywhere anywhere PKTTYPE = multicast

Chain OUTPUT (policy DROP 3 packets, 281 bytes)
pkts bytes target prot opt in out source destination
2793 358K ACCEPT all -- any any anywhere anywhere state NEW,RELATED,ESTABLISHED

Chain INPUT_DSL (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
42 2132 DROP all -- any any anywhere anywhere

Chain INPUT_MILKY (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:nameserver
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:3128
0 0 DROP all -- any any anywhere anywhere
Has you can see I redirect all packets incoming from ppp0 (the ADSL connection; my modem is connected to eth0 interface).

In the INPUT_DSL chain I should accept only ssh connections, and everything else should be dropped. The problems are:
- I'm unable to check my ports status thru nmap... strangely they seems all opened (theorically they are all filtered except port 22).
- If I execute a ssh session on my IP address (related to ppp0), the related rule packet counter does NOT increment ( how it is possible?).
- I think that some protocol need some special rule, but every connection is established (for example ICQ with gaim )... ICQ is handled by connection tracking?

I'm sure that other hosts see me filtered (I've tried it some day ago, but not with this firewall rules). The problem is no friend on-line available... and I don't want to disturb my friends about my firewall configuration asking to nmapping me everytime.

Maybe I miss something, or there's some special (and hidden) handling for those packet having my IP as source address.