I never suggested that tcp/873 was not used by rsync! I know that it is used by rsync, but my original question was asking how to allow a DSS on an internal network to replicate to an external DSS on a public IP. In this scenario, allowing tcp/873 has nothing to do with it since in the vast majority of cases, most types of trafiic are allowed out from a internal server. The solution was allowing icmp packets from outside and mapping them back to the internal DSS address which is something your documentation mentions nothing about. It seems that your documentation covers the reverse situation only. I sincerely hope this thread helps someone else out there and I really don't want to upset anyone, but this whole business should not have been such hard work!