> As far as I know, this only applies to _active_ ftp, about which I am > not concerned at the moment.
Ah yes... that's what I get for doing e-mail at 6am. :-/ Your problem description seems to imply that you have a block out all and that you're only allowing selet outbound traffic. In which case you would need to either open (for outbound, stateful traffic) all the ephemeral ports that ftp-proxy uses for outbound stateful traffic, or you could probably reverse the rule I gave you and do pass out from user proxy keep state. If you have a "friendly" firewall setup with a pass out all keep state at the end, then something else is amiss. cheers, Matt
