Neal, As for the --sport flag for OUTPUT, should it not be left arbitrary? The SSH daemon should use unprivileged ports between 1024 and 65535. The only daemon I know thus far that does not is NTP which is hardwired to 123 both ways.
Thanks Guys, Nick.
