I took over a custom firewall script from my older Suse machines to my Dom-Us and it works just fine. Doing the same for Dom-0 immediately killed all traffic for the VMs. As there was no need before I had been dropping everything on the FORWARD chain. After ACCEPTing all for FORWARD my VMs are happy again. What's best practice on Dom-0, what do you do? Can I restrict the forwarding, in which way? Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com