On Fri, 16 Jan 2009 21:34:59 -0800 Grant wrote: > I think this leaves a squid proxy setup as my only option? Sorry, I haven't noticed the fact that there are machines behind the firewall that need to be restricted, and aforementioned rule certainly won't do that. Squid setup should certainly be a solid solution to the problem. It should also save quite a lot of traffic and speed up browsing via common cache. You can actually disable nat on the firewall if there are no specific software requiments that can't work with http proxy, which are quite rare, with the exception of games and p2p software. And since you're using gentoo you can also pass rsync traffic through a proxy. Rsync (as well as wget and lots of other tools) will use proxy automatically if RSYNC_PROXY (http_proxy/ftp_proxy for other apps, lower- and uppercase) env var is set. For squid to pass rsync traffic you'll need to specify rsync ports in squid.conf, like this: acl SSL_ports port 873 # rsync acl Safe_ports port 873 # rsync -- Mike Kazantsev // fraggod.net