Dynamic address configuration is the best solution. Only build a DHCP consumer on the public interface.The initial rule accepts packets from currently recognized connections, assuming They are really safe not to overload the CPU. The next rule drops any packet that connection monitoring identifies as invalid. Following that, we setup regular acknow