Question about running ssh over a masqueraded network:

I have a linux box that serves as the "point" machine for my network
on which I forward ports with ipchains (2.2 kernel) to to inside
amachines which each run sshd.  My outside machine currently is not
running ssh yet.  If the default policy on my input chain is ACCEPT, I
can successfully forward non standard ports through to specific
machines an establish ssh sessions on them with no problems.  If I
default the input chain to DENY, as is done in endoshield script, The
connections time out and I cannot connect.  In both cases, I forward
the same ports.

Bottom line, If I use endoshield and add on the ipfwadm commands to
forward the ports mentioned above, connections time out; If I do not
use endoshield but use a simpler script that basically leaves the
input chain wide open, I can establish the ssh sessions - no problem.

Any ideas out there, dispite this confusing message?