dpurgert: thanks, I understand now
couple more questions
if I also need to forward a range, do I do a dnat and firewal for that also.
I need to open 9000-9010 at least
Also, what is keeping nefarious sources from coming inside my lan with? seems to me that firewall setting is allowing anything in on 5060?