I didn't see anything glaringly wrong, but I probably don't know what I'm looking for either. Here's my entire ipf.rules ######################################################### # Firewalling rules ######################################################### # set our default policies block in log all pass out all # accept packets coming from the internal interface pass in on ep1 all pass in on lo all # deny any coming from outside which are illegal # first take care of standard unroutables block in log quick on ep0 from 0.0.0.0/32 to any block in log quick on ep0 from 255.255.255.255/32 to any block in log quick on ep0 from 127.0.0.0/8 to any block in log quick on ep0 from any to 0.0.0.0/32 block in log quick on ep0 from any to 255.255.255.255/32 block in log quick on ep0 from any to 127.0.0.0/8 # now let's deal with the internal networks block in log quick on ep0 from 192.168.0.0/16 to any block in log quick on ep0 from 172.16.0.0/12 to any block in log quick on ep0 from 10.0.0.0/8 to any block in log quick on ep0 from any to 192.168.0.0/16 block in log quick on ep0 from any to 172.16.0.0/12 block in log quick on ep0 from any to 10.0.0.0/8 # allow certain classes of ICMP pass in quick on ep0 proto icmp all icmp-type 0 pass in quick on ep0 proto icmp all icmp-type 3 pass in quick on ep0 proto icmp all icmp-type 11 # allow inbound ssh and mail connections pass in quick on ep0 proto tcp from any to any port = 22 flags S keep state pass in quick on ep0 proto tcp from any to any port = 25 flags S keep state # allow return packets from connections we initiated pass out on ep0 proto tcp all keep state # REJECT auth connections for fast SMTP handshake block return-rst in on ep0 proto tcp from any to any port = 113 # allow udp DNS replies from DNS 1 & 2 pass in on ep0 proto udp from 24.1.240.33 port = 53 to any pass in on ep0 proto udp from 24.1.240.34 port = 53 to any # allow NTP replies from 1.3.4.5 # pass in on ep0 proto udp from 1.3.4.5 port 123 to any # Prevent outside machines from initiating TCP connections to machines # within our network block in quick on ep0 proto tcp all flags S/SA block out quick on ep0 proto tcp all flags SA/SA # END OF ipf.rules and ipnat.rules: # $OpenBSD: ipnat.rules,v 1.2 1999/05/08 16:33:10 jason Exp $ # # See /usr/share/ipf/nat.1 for examples. # edit the ipnat= line in /etc/rc.conf to enable Network Address Translation # map ppp0 10.0.0.0/8 -> ppp0/32 portmap tcp/udp 10000:20000 map ep0 10.0.1.0/24 -> ep0/32 portmap tcp/udp 1025:65000 # # End of ipnat.rules Again, thanks for your time. CJ _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com