Hello Knut, ok, but the data transfer from the ftp-server does originate from port 20. So why can´t I just tell the firewall to accept packets from the ftp-server which originate at port 20 and are targeted to my client? After reading a bit through the SuSEfirewall2 script I found that such a rule is indeed inserted: from #SuSEfirwall2 status assuming the client has 10.1.1.1 and the ftp-server 192.168.0.1): 0 0 ACCEPT tcp -- * * 10.1.1.1 192.168.0.1 state NEW,RELATED,ESTABLISHED tcp dpt:20 0 0 ACCEPT tcp -- * * 192.168.0.1 10.1.1.1 state RELATED,ESTABLISHED tcp spt:20 flags:!0x16/0x02 Now if I insert a similar rule just without the flags:... part: 0 0 ACCEPT tcp -- * * 192.168.0.1 10.1.1.1 state RELATED,ESTABLISHED tcp spt:20 Then it works. What is this flags... thing for? -- Best regards, André mailto:Andre.Saenger@gmx.de