Do you normally forward everything from e.g eth0 to eth1? I recently upgraded (downloaded) a lot of packages on the webserver, and noticed later on the mrtg-graph that the traffic was identical (only switched) on the two interfaces. Is downloading ftp-data to the firewall from the internet really related, established, so that is should be forwarded to the internal interface? # iptables -L FORWARD -v Chain FORWARD (policy DROP 5 packets, 224 bytes) pkts bytes target prot opt in out source destination 28224 2433K ACCEPT all -- eth0 eth1 anywhere anywhere \ state RELATED,ESTABLISHED $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state \ --state ESTABLISHED,RELATED -j ACCEPT - M
