I have used nat and snat and they will allow normal traffic in and out .... but I can''t seem to get traffic like that coming into a ftp server to work... I see it logged as ACCEPTED in /var/log/messages I think it said ACCEPTED dmz to net or something..... and then theres no other error messages.... except ftp times out on the other end.... I have another question as well.... if one where to use an ids system to monitor the external interfaces on the firewall could you run the IDS on the dmz if all the ports were forwarded or would it still be promiscause on the internal subnet only..... because I have found that you can''t run snort on aliased ips with out problems.... and would like to run snort but don''t know how to do it with only one incoming aliased interface. chrisj