Hi all Maybe it can be worth noticing that if you have dynamic zones on some wild-card interfaces, like: /etc/shorewall/zones: ptp ipv4 /etc/shorewall/interfaces: - ppp+ /etc/shorewall/hosts ptp ppp+:dynamic then when you add a host via the "shorewall add" command, you have to indicate the interface generically as "ppp" and not ppp3 (or what the actual interface is) or ppp+ (as it used to work in shorewall 3.2). This is because, at least in this wild-card interface scenario, shorewall creates and uses an ipset named ptp_ppp. So if you write /sbin/shorewall add ppp:192.168.33.3 ptp Then you''re OK. If you write (supposing the actual new interface is named ppp3) /sbin/shorewall add ppp3:192.168.33.3 ptp You get no errors, but a new ipset named ptp_ppp3 is created, which is not referenced in the rules created by shorewall at all. If you write (as in the old 3.2 days) /sbin/shorewall add ppp+:192.168.33.3 ptp You get ERROR: Zone ptp, interface ppp+ is does not have a dynamic host list Maybe this observation could go in Dynamic.html, or even better the add_command function could automatically strip the trailing digits from the given interface name when this interface matches some wild-card in a dynamic zone. HTH. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/