Are the access rules processed from the top down (by priority) or from the bottom up? And should all my deny rules be grouped together or should the denies be with the related allow rule(s)? Ya know the issue of port forwarding and 1to1 nat opening the world. I scoured the forums and found how to get granular (remove port forwarding/1to1 nat and make UPnP entries for my services and than a deny and allow entry in my Access Rules). Just curious if the denies can or should be lumped together or need to follow/precede (depending on how rules are processed) their related allow rule. In the Cisco world you try to place you most used ACL's at the top of your list.. So.. Just curious. Thank you to all who reply.