Anyone tinkered with PBACLs (object-groups)? Kind of cool. Now I can have "friendly" names in my ACLs, and can group ip/ports. I just refactored a bunch of ACLs to use this as it makes them more maintainable. Suprised you can't nest object-groups though. Perhaps it was a deliberate omission so users wouldn't start using it as a stateless firewall. Tim:>