To our great mystery we found that our RB was no longer accepting queries on its BDII, even though the thing was running. Stranger and stranger, at some point we saw mysterious iptables messages in the log files. To finally discover the following magic in /etc/init.d/lcg-bdii iptables -I INPUT --protocol tcp --destination-port $BDII_PORT_READ --syn -j DROP iptables -I INPUT -s 127.0.0.1/32 --protocol tcp --destination-port $BDII_PORT_READ --syn -j DROP for x in `seq 1 5`; do connections=`netstat --tcp --numeric | grep -v TIME_WAIT | awk '{print $4}' | grep :2170` if [ ! "x$connections" = "x" ]; then sleep 1 fi done $0 stop mv $LDAP_DB_WRITE/* $LDAP_DB_READ $0 start iptables -D INPUT --protocol tcp --destination-port $BDII_PORT_READ --syn -j DROP iptables -D INPUT -s 127.0.0.1/32 --protocol tcp --destination-port $BDII_PORT_READ --syn -j DROP Unfortunately, if something goes wrong enough in the middle part and blows you out of the script, you get a blocked BDII port that never gets unblocked. We even had fun by attempting to start the BDII several times -- the start failed, but the number of iptables rules continued to decrease after each start, as the script doesn't check whether the rule it's setting is already set. Running the 'stop' method of the init.d script a sufficient number of times managed to restore relative sanity. Could the next implementation do something with the program itself and whether it binds to a particular interface or not, rather than using iptables? I think that would be much less error prone. Thanks, J "drop kick" T