Unless I'm mistaken, there appears no way to cause ipfw's internal nat mechanism to log dropped packets. This is a considerable loss of functionality from using natd. Is there a reason for this? - M -- Michael Sierchio +1 415 378 1182 PO Box 9036 Berkeley CA 94709 US kudzu at tenebras.com