Yep, you're right. BTW, I don't know why I shouldn't MASQ non-private addresses. Let's call it "address hiding" and you have a security feature which is not that bad! I used this for protecting call back lines (which wouldn't hangup when a portscan is done against the called back host otherwise).

Well, I'm one of those who prefers to use NAT what it's for, i.e. make up for a limited number of official IP addresses. I don't see it as a security feature, at least not any more than stateful packet filtering, as that's basically what it requires to work at all. However, you get all sorts of silly side effects by violating TCP/IP. I prefer to do what firewalling I can with ALGs, circumventing the need for NAT. If I can place the ALGs in a DMZ, I try to obtain official IP addresses for them. There is no need to perform NAT between the DMZ and the internal network (with private IP addresses). You only need NAT when packets need to traverse from the internal network to the outside, there being no suitable proxy available. Tobias