Also, if you have set up FW_SERVICES_EXT_TCP="80" this expressley allows all connections, and so will be a conflicting rule. You need to take port 80 out of that string and create a trust rule in: - # 10.) # Which services should be accessible from trusted hosts/nets? # # Define trusted hosts/networks (doesnt matter if they are internal or # external) and the TCP and/or UDP services they are allowed to use. # Please note that a trusted host/net is *not* allowed to ping the firewall # until you set it to allow also icmp! # # Choice: leave FW_TRUSTED_NETS empty or any number of computers and/or # networks, seperated by a space. e.g. "172.20.1.1 172.20.0.0/16" # Optional, enter a protocol after a comma, e.g. "1.1.1.1,icmp" # Optional, enter a port after a protocol, e.g. "2.2.2.2,tcp,22" # FW_TRUSTED_NETS="" In other rules you can use ! to make an exception, can anyone confirm if that will work in this rule? -- Reader, suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself. -- Mark Twain