Dear list readers, out of educational interest and to understand the advanced features of packet filtering in a better way I am trying to build an ipchains based firewall on my own. The basic policy of all rules is to deny traffic. I'd like to build a machine which does masquerading for an internal network but keeps the users ON the machine from running their own servers on TCP or UDP highports. I found no way to differ between a port that is used by the firewall machine for local usage and a port that is used for masquerading a connection from the inside network. This is my basic idea of the firewall. Basic policy: DENY 1. Do masquerading for internal network. 2. Allow SSH connection from internal network. 3. Deny lowport (1-1024) connections to machine. 4. Do forwarding of masqueraded (highport) connections. 5. Deny highport local services. Using /proc/sys/net/ipv4/ip_local_port_range it is possible to limit the range of highports. Is it possible to limit the range of masqueraded ports to a certain scope? I could replace rules 4 and 5 by 4. Deny port 1024-20000 connections. --> local used ports 5. Accept port 20001-65000 connections. --> masqueraded ports Do you have any other idea how to differ between incoming packets for masqueraded connections and incoming packets for local highport services? The packet headers seem to look the same. Regards, Andreas Achtzehn