This is somewhat related to the issue from PATCH 4; I corrected it before work this morning. Consider the following: shorewall.conf: INVALID_DISPOSITION=DROP rules: SECTION INVALID CONTINUE ... SECTION NEW Invalid(...) ... Because the INVALID_DISPOSITION is DROP, the RC 2 compiler suppresses the rule(s) generated by the Invalid(...) invocation. The attached patch causes the rule(s) to be emitted. Note that the compiler only keeps track of the fact that a chain contains at least one RETURN rule (that''s needed for the optimizer to work correctly). So the rule(s) generated by Invalid(...) may still not be capable of being matched. Patch attached. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb