On Thu, Mar 20, 2008 at 07:49:12AM -0400, Mansour Moufid wrote:

[...]

> for i in $IP
> do
>   $IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP -d $i --dport $RSYNC --syn
> -m state --state NEW -j ACCEPT
>   $IPT -A INPUT  -i $EXTIF -p tcp -s $i -d $EXTIP --sport $RSYNC --syn
> -m state --state NEW -j ACCEPT

I think the last rule is useless. You should not get a respone from a
host which is "NEW", because it belongs to package, which was sent out
before.

> done

best regards

Koppensteiner Mario