On Thursday 22 January 2009 17:28, Agile Aspect wrote: > Regarding item (2), I would guess I would have to add the following > entries: > > Active: > --------- > > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20 > --sport 40000:60000 -j ACCEPT > -A OUTPUT -p tcp -m tcp --sport 20 --dport 40000:60000 -j ACCEPT All FTP connecting begin with port 21. Port 20 is a DATA connection. ip_conntrack_ftp will track connection needing the Data port open. > Passive: > ---------- > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport > 40000:60000 --sport 40000:60000 -j ACCEPT > -A OUTPUT -p tcp -m tcp --sport 40000:60000 --dport 40000:60000 -j ACCEPT Do you have a rule like this: -A OUTPUT --m state --state RELATED,ESTABLISHED -j ACCEPT If not you should place this in your rules. This rule eleminates the need to continuesly add rules to allow out going connection for allowed incoming connection. If you do then you should not need the OUTPUT rules you listed above. -- Regards Robert Linux User #296285 http://counter.li.org