Ok, mine is actualy even edgier than that; no transit at all, to paraphrase Steeley Dan. But does anyone have a pointer to a good set of ports to block in each direction through my Shorewall DNAT setup, preferably annotated? On reflection, that's actually only outbound; the necessity to set up inbound DNAT manually makes it a default-deny environment, which is one of the reasons that some people like NAT as a component of an edge firewall. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin)