Hi All! when I used to train Burroughs/Unisys engineers I would always start with pointing out that the only stupid or foolish question is the one they would make them look a bit dof (dumb IOW). I always made the point about how their "dumb" question almost always helps others! My past experience anyway! Okay on to the documentation "features"! The web page says 4.4 and 4.5 yet when you look at the Multi ISP Connections on a single firewall and how to get a local service like smtp to use a specific provider the chat is all about the nice new mangle file! My Gentoo provided 4.5.18 does not have anything called mangle! I would assume the we non beta users would only come across it in 4.6! It really confused me! Why must I now put my rule in as MARK(xx) ... into my tcrules! You get used the filenames and it's only when digging a bit deeper by reading a bit deeper and more carefully the "mangle" pops up! Which now leads me on to my problem! I have a site that has just had a shiny new 5M fibre connection installed. I need to toss out my old script based firewall as it cannot handle multiple isp connections! Because of the new connection being 5 time faster than the old leased line and the need to do some heavy traffic shaping I have opted to use WIDE_TC_MARKS=Yes and HIGH_ROUTE_MARKS=Yes which I figured out that they need to be translated to the new config variables! Again the documentation is none to clear! A few errors on another site sorted that out! I decided that I need to give myself lots of room to play. My only other multi isp site turned into a dogs breakfast as the one ISP could not get their WiFi connection working and reliable! So my providers file looks like this. digi 1 0x10000 - $DIGI_IF x.x.x.x loose,balance=1 adsl 2 0x20000 - $ADSL_IF 10.10.117.254 fibre 3 0x30000 - $FIBRE_IF y.y.y.y loose,balance=4 Now that dumb question! I need to get smtp traffic from postfix on the firewall to only use the digi provider! Here it comes! What am I meant to put into tcrules to do it! Do I use the provider number or MARK of 0x10000? I have read and reread the docs on the website plus the good man pages but I either dof and don't see something I should or I'm just getting past this stuff! All a bit confusing really! My tcrules snippet looks like this! Even ready for mangle! # Send smtp out the Digi line 1 $FW 0.0.0.0/0 tcp 25 #We will use this in yhe new mangle file! #MARK(2) $FW 0.0.0.0/0 tcp 25 I managed last night to break the server good and proper like! Silly me forgot to put my usual last resort "at" bomb in place to init 6! I did do the other bits to stop shorewall and start the old firewall then I fiddled didn't I. Tried to get the customer to reboot it but the clowns did the wrong server! Fortunately that are just a short few Km's away!. Guess they need some good labels on all their servers! Reading man shorewall-tcrules seems to indicate that it might just be the provider number and is is added in the OUTPUT chain which should push it out on the digi provider! My quick test with telnet seemed to use the fibre provider. I then used mail to send a mail to another customer server and once again it seemed to use the fibre provider! Then I fiddled and it just broke! Bit of an extra issue is the this customer works sort of 24/7 with a few little breaks and internet is pretty critical especially when chatting with headoffice States side! Any thoughts and ideas are most welcome! Ang -- Angela Williams angierfw at gmail dot com Linux/Networking Hacker Blog http://angierfw.wordpress.com Smile! Yeshua Loves You! ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech