I''m one of those annoying people trying to access their own domain from inside the firewall without using a DMZ. I''m running shorewall 1.3.9b-1 on SuSE 8.0 (2.4.18-4GB kernel) behind ADSL (using rp-pppoe) and everything works great except internal network devices being able to access my internal systems using the external IP address. I have the rule... -A loc_dnat -s 192.168.1.16/255.255.255.240 -d 66.149.18.173 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.18 That is to say, my internal subnet is 192.168.1.16/28 where the firewall interface is 192.168.1.17, the web server is .18, and my static IP address is 66.149.18.173. To see what was going on, I have manually added the following rule... iptables -t nat -I loc_dnat 1 -s 192.168.1.16/28 -d 66.149.18.173 -p tcp -m tcp --dport 80 -j LOG --log-prefix ''TAG!'' ...and I *do* see the message in /var/log/messages, so I''m sure the rule is firing, but for some reason my browser doesn''t seem to be redirected to 192.168.1.18. Here is the rule line from /etc/shorewall/rules: DNAT loc:192.168.1.16/28 loc:192.168.1.18 tcp 80 - 66.149.18.173 PS like I said, everything else works great -- this beats SuSEfirewall2 to death, IMHO. --Ian