IPFW help

[Himal Mandalia]

I've been trying to set up IPFW to do port forwarding so I can use a machine 
on a private network as a web server. I'm using NAT, which works fine, but 
can't seem to get port forwarding working unless I remove the "deny ip from 
any to any" in my firewall script.

natd.conf:

interface en0
dynamic yes
use_sockets yes
same_ports yes
redirect_port tcp 192.168.0.2:80 80

firewall script:

/sbin/ipfw -q -f flush

cmd="/sbin/ipfw add"

oif="en0" #public iface
iif="en1" #private iface
oip=`ifconfig $oif | grep 'inet' | awk '{print $2}'`
optimus="192.168.0.2" #webserver on private segment

$cmd 00010 allow ip from any to any via lo0
$cmd 00020 deny log ip from any to 127.0.0.0/8
$cmd 00100 divert 8668 ip from any to any via $oif

$cmd 00400 fwd $optimus,80 tcp from any to $oip 80

$cmd 00500 allow tcp from any to any established

$cmd 00600 allow tcp from any to $oip ftp,ssh,http setup
$cmd 00700 allow tcp from any to $oip 5900-5909 setup
$cmd 00800 allow tcp from any to $oip 
6881-6999,6669,3689,873,6346,1863,443,2628 setup
$cmd 00900 allow udp from any to $oip 27960-27969
$cmd 01000 allow icmp from any to any
$cmd 02000 allow icmp from any to any icmptypes 3,4,11,12

$cmd 03000 reset tcp from any to $oip 113
$cmd 04000 check-state
$cmd 05000 allow ip from $oip to any keep-state out via $oif
$cmd 06000 allow ip from 192.168.0.0/16 to any keep-state via $iif

$cmd 65000 deny ip from any to any


Removing the last line works, but then security's out of the window I 
suppose. I'm sure it's just a problem with the order of the rules or 
something like that. Any suggestions and help would be most welcome.

Thanks

_________________________________________________________________
Use MSN Messenger to send music and pics to your friends 
http://messenger.msn.co.uk