I posted a similar message recently to a Usenet group. Hopefully, you guys will know better: I got my Austin Roadrunner service up and running with Linux (Redhat 5.1 + kernel 1.2.126) masquerading a RFC1918 network. Surprisingly, there is currently no need for the authorization process in my area - I suppose I'll need to watch out for this. There should be a temporary kludge to get it working by running the authorization program on an internal NT box - we'll see. I plan on writing a Linux based process should the need arise. My question to anyone with ipfw experience is this: I would like to open inbound ftp-data sourced requests but only to my masqueraded boxes (to prevent someone manually sourcing the ftp-data port and breaking my firewall). The ftp masq module should take care of any security problems, but since the ipfw stuff is only based on 'real' IP's on the unsecured side, I can't seem to do this. Am I right in assuming this is the case or is there a way to match incoming requests on a 'post masquerade' basis? Essentially, I'd like to do something like: ipchains -A input -i eth0 -p TCP -y -s 0.0.0.0/0 ftp-data -d RFCNET/24 -j ACCEPT where eth0 = RoadRunner connection and RFCNET = my 1918 internal network. or for a step by step description: 1) packet comes in sourced with ftp-data port 2) input filter let's it through 3) masquerade either handles it or passes it though 4) ipfw blocks the packet if masq can't handle it. hopefully, this makes some kind of sense. thanks! -C oh! btw, does anyone have experience setting up GRE tunnels with Linux? I'd be very interested in hearing from you... --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]