This is a multipart message in MIME format. --=_alternative 0063627783256C71_Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable Hi all, I have created an internal subnet here to protect my local network from=20 the links to news and stock agencies (Reuters, Bloomberg etc). the setup=20 is not simple, as I have differents ports and routes to each provider. I=20 decided to create different zones to each provider. I=B4m using the=20 following setup: =3D=3D=3D zones file: #ZONE DISPLAY COMMENTS ubsw UBSW UBSW Servers blmb Bloomberg Bloomberg Frame Relay Network brd Broadcast Agencia Estado - Broadcast net Net Internet trd Traders Rede Traders loc Local Local networks =3D=3D=3D where loc and trd are internal local subnet where the traders work and=20 ubsw, blmb, brd are some of the providers. =3D=3D=3D interfaces file: net eth0 detect routefilter - eth1 detect =3D=3D=3D where eth1 is the interface connected to my local network and eth0 to=20 the new subnet. =3D=3D=3D hosts file: #ZONE HOST(S) OPTIONS ubsw eth0:172.31.0.0/24 brd eth0:172.31.6.90/32 brd eth0:172.31.6.95/32 blmb eth0:208.134.161.0/24 blmb eth0:205.183.246.0/24 blmb eth0:199.105.176.0/21 blmb eth0:199.105.184.0/23 loc eth1:10.1.16.0/20 trd eth1:10.1.32.0/20 =3D=3D=3D masq file: #INTERFACE SUBNET ADDRESS eth0 eth1 172.31.6.64 =3D=3D=3D I don=B4t know why, but shorewall creates the following rule to this=20 masq line: Chain eth0=5Fmasq (1 references) target prot opt source destination SNAT all -- 10.1.16.0/20 anywhere to:172.31.6.64 =3D=3D=3D why only subnet 10.1.16.0/20 is masqued? what about 10.1.32.0/20? what=20 did I do wrong? =3D=3D=3D nat file: #EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL 172.31.6.65 eth0 10.1.27.31 172.31.6.66 eth0 10.1.21.21 172.31.6.67 eth0 10.1.21.22 172.31.6.68 eth0 10.1.21.23 172.31.6.69 eth0 10.1.21.24 172.31.6.70 eth0 10.1.21.25 172.31.6.71 eth0 10.1.21.26 172.31.6.72 eth0 10.1.21.27 =3D=3D=3D this fixed ips in my local network are an imposition of bloomberg,=20 that needs unique IPs from their clients and could not route from their=20 servers to my local =3D=3D=3D network, so I NATted all my traders bloomberg=20 machines (ugh!)? could I use a pool of NAT? would it work? now my main doubt: I can=B4t use n to 1 NAT to the servers at brd zone. The server connects=20 the first client but does not answer to any other client afterwards.=20 So I needed to tell shorewall not to masq packets destined to servers=20 172.31.6.95 and 172.31.6.90. The only way I could figure out was creating an start file with the following statements: run=5Fiptables -I POSTROUTING 2 -t nat -d 172.31.6.95 -j RETURN run=5Fiptables -I POSTROUTING 2 -t nat -d 172.31.6.90 -j RETURN and that makes the POSTROUTING chain look like this: Chain POSTROUTING (policy ACCEPT) target prot opt source destination nat=5Fout all -- anywhere anywhere RETURN all -- anywhere 172.31.6.90 RETURN all -- anywhere 172.31.6.95 eth0=5Fmasq all -- anywhere anywhere and that solved the problem but... - Isn=B4t there another way out?=20 specially one that wouldn=B4t use the start file? Every time I use a start=20 file in a shorewall configuration I feel like I=B4m cheating, you know ;-) well, sorry for the long post and thanks for your attention, =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F Eduardo Ferreira --=_alternative 0063627783256C71_Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable <br><font size=3D2 face=3D"sans-serif">Hi all,</font> <br> <br><font size=3D2 face=3D"sans-serif">I have created an internal subnet here to protect my local network from the links to news and stock agencies (Reuters, Bloomberg etc). the setup is not simple, as I have differents ports and routes to each provider. I decided to create different zones to each provider. I=B4m using the following setup:</font> <br> <br><font size=3D2 face=3D"sans-serif">=3D=3D=3D zones file:</font> <br><font size=3D2 face=3D"sans-serif">#ZONE DISPLAY COMMENTS</font> <br><font size=3D2 face=3D"sans-serif">ubsw UBSW UBSW Servers</font> <br><font size=3D2 face=3D"sans-serif">blmb Bloomberg Bloomberg Frame Relay Network</font> <br><font size=3D2 face=3D"sans-serif">brd Broadcast Agencia Estado - Broadcast</font> <br><font size=3D2 face=3D"sans-serif">net Net Internet</font> <br><font size=3D2 face=3D"sans-serif">trd Traders Rede Traders</font> <br><font size=3D2 face=3D"sans-serif">loc Local Local networks</font> <br><font size=3D2 face=3D"sans-serif">=3D=3D=3D where loc and trd are internal local subnet where the traders work and ubsw, blmb, brd are some of the providers.</font> <br> <br><font size=3D2 face=3D"sans-serif">=3D=3D=3D interfaces file:</font> <br><font size=3D2 face=3D"sans-serif">net eth0 detect routefilter</font> <br><font size=3D2 face=3D"sans-serif">- eth1 detect</font> <br><font size=3D2 face=3D"sans-serif">=3D=3D=3D where eth1 is the interface connected to my local network and eth0 to the new subnet.</font> <br> <br><font size=3D2 face=3D"sans-serif">=3D=3D=3D hosts file:</font> <br><font size=3D2 face=3D"sans-serif">#ZONE HOST(S) OPTIONS</font> <br><font size=3D2 face=3D"sans-serif">ubsw eth0:172.31.0.0/24</font> <br><font size=3D2 face=3D"sans-serif">brd eth0:172.31.6.90/32</font> <br><font size=3D2 face=3D"sans-serif">brd eth0:172.31.6.95/32</font> <br><font size=3D2 face=3D"sans-serif">blmb eth0:208.134.161.0/24</font> <br><font size=3D2 face=3D"sans-serif">blmb eth0:205.183.246.0/24</font> <br><font size=3D2 face=3D"sans-serif">blmb eth0:199.105.176.0/21</font> <br><font size=3D2 face=3D"sans-serif">blmb eth0:199.105.184.0/23</font> <br><font size=3D2 face=3D"sans-serif">loc eth1:10.1.16.0/20</font> <br><font size=3D2 face=3D"sans-serif">trd eth1:10.1.32.0/20</font> <br> <br><font size=3D2 face=3D"sans-serif">=3D=3D=3D masq file:</font> <br><font size=3D2 face=3D"sans-serif">#INTERFACE SUBNET ADDRESS</font> <br><font size=3D2 face=3D"sans-serif">eth0 eth1 172.31.6.64</font> <br><font size=3D2 face=3D"sans-serif">=3D=3D=3D I don=B4t know why, but shorewall creates the following rule to this masq line:</font> <br><font size=3D2 face=3D"sans-serif">Chain eth0=5Fmasq (1 references)</font> <br><font size=3D2 face=3D"sans-serif">target prot opt source destination</font> <br><font size=3D2 face=3D"sans-serif">SNAT all -- 10.1.16.0/20 anywhere to:172.31.6.64</font> <br><font size=3D2 face=3D"sans-serif">=3D=3D=3D why only subnet 10.1.16.0/20 is masqued? what about 10.1.32.0/20? what did I do wrong?</font> <br> <br><font size=3D2 face=3D"sans-serif">=3D=3D=3D nat file:</font> <br><font size=3D2 face=3D"sans-serif">#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL</font> <br><font size=3D2 face=3D"sans-serif">172.31.6.65 eth0 10.1.27.31</font> <br><font size=3D2 face=3D"sans-serif">172.31.6.66 eth0 10.1.21.21</font> <br><font size=3D2 face=3D"sans-serif">172.31.6.67 eth0 10.1.21.22</font> <br><font size=3D2 face=3D"sans-serif">172.31.6.68 eth0 10.1.21.23</font> <br><font size=3D2 face=3D"sans-serif">172.31.6.69 eth0 10.1.21.24</font> <br><font size=3D2 face=3D"sans-serif">172.31.6.70 eth0 10.1.21.25</font> <br><font size=3D2 face=3D"sans-serif">172.31.6.71 eth0 10.1.21.26</font> <br><font size=3D2 face=3D"sans-serif">172.31.6.72 eth0 10.1.21.27</font> <br><font size=3D2 face=3D"sans-serif">=3D=3D=3D this fixed ips in my local network are an imposition of bloomberg, that needs unique IPs from their clients and could not route from their servers to my local =3D=3D=3D network, so I NATted all my traders bloomberg machines (ugh!)? could I use a pool of NAT? would it work?</font> <br> <br><font size=3D2 face=3D"sans-serif">now my main doubt:</font> <br><font size=3D2 face=3D"sans-serif">I can=B4t use n to 1 NAT to the servers at brd zone. The server connects the first client but does not answer to any other client afterwards. </font> <br><font size=3D2 face=3D"sans-serif">So I needed to tell shorewall not to masq packets destined to servers 172.31.6.95 and 172.31.6.90. The only way I could figure out was creating an start file with the following statements:</font> <br><font size=3D2 face=3D"sans-serif">run=5Fiptables -I POSTROUTING 2 -t nat -d 172.31.6.95 -j RETURN</font> <br><font size=3D2 face=3D"sans-serif">run=5Fiptables -I POSTROUTING 2 -t nat -d 172.31.6.90 -j RETURN</font> <br> <br><font size=3D2 face=3D"sans-serif">and that makes the POSTROUTING chain look like this:</font> <br><font size=3D2 face=3D"sans-serif">Chain POSTROUTING (policy ACCEPT)</font> <br><font size=3D2 face=3D"sans-serif">target prot opt source destination</font> <br><font size=3D2 face=3D"sans-serif">nat=5Fout all -- anywhere anywhere</font> <br><font size=3D2 face=3D"sans-serif">RETURN all -- anywhere 172.31.6.90</font> <br><font size=3D2 face=3D"sans-serif">RETURN all -- anywhere 172.31.6.95</font> <br><font size=3D2 face=3D"sans-serif">eth0=5Fmasq all -- anywhere anywhere</font> <br> <br><font size=3D2 face=3D"sans-serif">and that solved the problem but... - Isn=B4t there another way out? specially one that wouldn=B4t use the start file? Every time I use a start file in a shorewall configuration I feel like I=B4m cheating, you know ;-)</font> <br> <br><font size=3D2 face=3D"sans-serif">well, sorry for the long post and thanks for your attention,</font> <br> <br><font size=3D2 face=3D"sans-serif">=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F<br> Eduardo Ferreira<br> </font> --=_alternative 0063627783256C71_=--
> Hi all, > > I have created an internal subnet here to protect my local network > from the links to news and stock agencies (Reuters, Bloomberg etc). > the setup is not simple, as I have differents ports and routes to > each provider. I decided to create different zones to each provider. > I´m using the following setup: > > === zones file: > #ZONE DISPLAY COMMENTS > ubsw UBSW UBSW Servers > blmb Bloomberg Bloomberg Frame Relay Network > brd Broadcast Agencia Estado - Broadcast > net Net Internet > trd Traders Rede Traders > loc Local Local networks > === where loc and trd are internal local subnet where the traders work > and ubsw, blmb, brd are some of the providers. > > === interfaces file: > net eth0 detect routefilter > - eth1 detect > === where eth1 is the interface connected to my local network and eth0 > to the new subnet. > > === hosts file: > #ZONE HOST(S) OPTIONS > ubsw eth0:172.31.0.0/24 > brd eth0:172.31.6.90/32 > brd eth0:172.31.6.95/32 > blmb eth0:208.134.161.0/24 > blmb eth0:205.183.246.0/24 > blmb eth0:199.105.176.0/21 > blmb eth0:199.105.184.0/23 > loc eth1:10.1.16.0/20 > trd eth1:10.1.32.0/20 > > === masq file: > #INTERFACE SUBNET ADDRESS > eth0 eth1 172.31.6.64 > === I don´t know why, but shorewall creates the following rule to this > masq line: > Chain eth0_masq (1 references) > target prot opt source destination > SNAT all -- 10.1.16.0/20 anywhere > to:172.31.6.64 === why only subnet 10.1.16.0/20 is masqued? what about > 10.1.32.0/20? what did I do wrong?You did nothing wrong -- Shorewall only looks at the FIRST address when you enter a device name in the SUBNET column of the mask file. now my main doubt:> I can´t use n to 1 NAT to the servers at brd zone. The server > connects the first client but does not answer to any other client > afterwards. So I needed to tell shorewall not to masq packets > destined to servers 172.31.6.95 and 172.31.6.90. The only way I > could figure out was creating an start file with the following > statements: > run_iptables -I POSTROUTING 2 -t nat -d 172.31.6.95 -j RETURN > run_iptables -I POSTROUTING 2 -t nat -d 172.31.6.90 -j RETURN > > and that makes the POSTROUTING chain look like this: > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > nat_out all -- anywhere anywhere > RETURN all -- anywhere 172.31.6.90 > RETURN all -- anywhere 172.31.6.95 > eth0_masq all -- anywhere anywhere > > and that solved the problem but... - Isn´t there another way out? > specially one that wouldn´t use the start file? Every time I use a > start file in a shorewall configuration I feel like I´m cheating, you > know ;-)In the masq file, your two entries should look like eth0!172.31.6.90,172.31.6.95 10.1.16.0/24 eth0!172.31.6.90,172.31.6.95 10.1.32.0/24 -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
This is a multipart message in MIME format. --=_alternative 006AB7CF83256C71_Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable Tom, It didn=B4t work - when I executed the shorewall restart statement the=20 program issued an error: [snip] MASQUERADE Subnets and Hosts: Error: Unknown interface eth0!172.31.6.90,172.31.6.95 and then I run to my server room... any ideas? tks, Eduardo Ferreira shorewall-users-admin@shorewall.net wrote on 14/11/2002 17:02:22:> > Hi all, > > > > I have created an internal subnet here to protect my local network > > from the links to news and stock agencies (Reuters, Bloomberg etc). > > the setup is not simple, as I have differents ports and routes to > > each provider. I decided to create different zones to each provider. > > I=B4m using the following setup: > > > > =3D=3D=3D zones file: > > #ZONE DISPLAY COMMENTS > > ubsw UBSW UBSW Servers > > blmb Bloomberg Bloomberg Frame Relay Network > > brd Broadcast Agencia Estado - Broadcast > > net Net Internet > > trd Traders Rede Traders > > loc Local Local networks > > =3D=3D=3D where loc and trd are internal local subnet where the traders work > > and ubsw, blmb, brd are some of the providers. > > > > =3D=3D=3D interfaces file: > > net eth0 detect routefilter > > - eth1 detect > > =3D=3D=3D where eth1 is the interface connected to my local network and eth0 > > to the new subnet. > > > > =3D=3D=3D hosts file: > > #ZONE HOST(S) OPTIONS > > ubsw eth0:172.31.0.0/24 > > brd eth0:172.31.6.90/32 > > brd eth0:172.31.6.95/32 > > blmb eth0:208.134.161.0/24 > > blmb eth0:205.183.246.0/24 > > blmb eth0:199.105.176.0/21 > > blmb eth0:199.105.184.0/23 > > loc eth1:10.1.16.0/20 > > trd eth1:10.1.32.0/20 > > > > =3D=3D=3D masq file: > > #INTERFACE SUBNET ADDRESS > > eth0 eth1 172.31.6.64 > > =3D=3D=3D I don=B4t know why, but shorewall creates the following rule to this > > masq line: > > Chain eth0=5Fmasq (1 references) > > target prot opt source destination > > SNAT all -- 10.1.16.0/20 anywhere > > to:172.31.6.64 =3D=3D=3D why only subnet 10.1.16.0/20 is masqued? what about > > 10.1.32.0/20? what did I do wrong? >=20 > You did nothing wrong -- Shorewall only looks at the FIRST address when > you enter a device name in the SUBNET column of the mask file. >=20 > now my main doubt: > > I can=B4t use n to 1 NAT to the servers at brd zone. The server > > connects the first client but does not answer to any other client > > afterwards. So I needed to tell shorewall not to masq packets > > destined to servers 172.31.6.95 and 172.31.6.90. The only way I > > could figure out was creating an start file with the following > > statements: > > run=5Fiptables -I POSTROUTING 2 -t nat -d 172.31.6.95 -j RETURN > > run=5Fiptables -I POSTROUTING 2 -t nat -d 172.31.6.90 -j RETURN > > > > and that makes the POSTROUTING chain look like this: > > Chain POSTROUTING (policy ACCEPT) > > target prot opt source destination > > nat=5Fout all -- anywhere anywhere > > RETURN all -- anywhere 172.31.6.90 > > RETURN all -- anywhere 172.31.6.95 > > eth0=5Fmasq all -- anywhere anywhere > > > > and that solved the problem but... - Isn=B4t there another way out? > > specially one that wouldn=B4t use the start file? Every time I use a > > start file in a shorewall configuration I feel like I=B4m cheating, you > > know ;-) >=20 > In the masq file, your two entries should look like >=20 > eth0!172.31.6.90,172.31.6.95 10.1.16.0/24 > eth0!172.31.6.90,172.31.6.95 10.1.32.0/24 >=20 > -Tom > --=20 > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://shorewall.sf.net > ICQ: #60745924 \ teastep@shorewall.net >=20 >=20 >=20 > =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users--=_alternative 006AB7CF83256C71_Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable <br><font size=3D2 face=3D"sans-serif">Tom,</font> <br> <br><font size=3D2 face=3D"sans-serif">It didn=B4t work - when I executed the shorewall restart statement the program issued an error:</font> <br> <br><font size=3D2 face=3D"sans-serif">[snip]</font> <br><font size=3D2 face=3D"sans-serif">MASQUERADE Subnets and Hosts:</font> <br><font size=3D2 face=3D"sans-serif">Error: Unknown interface eth0!172.31.6.90,172.31.6.95</font> <br> <br><font size=3D2 face=3D"sans-serif">and then I run to my server room...</font> <br> <br><font size=3D2 face=3D"sans-serif">any ideas?</font> <br> <br><font size=3D2 face=3D"sans-serif">tks,</font> <br> <br><font size=3D2 face=3D"sans-serif">Eduardo Ferreira</font> <br> <br><font size=3D2><tt>shorewall-users-admin@shorewall.net wrote on 14/11/2002 17:02:22:<br> <br> > > Hi all,<br> > ><br> > > I have created an internal subnet here to protect my local network<br> > > from the links to news and stock agencies (Reuters, Bloomberg etc).<br> > > the setup is not simple, as I have differents ports and routes to<br> > > each provider. I decided to create different zones to each provider.<br> > > I=B4m using the following setup:<br> > ><br> > > =3D=3D=3D zones file:<br> > > #ZONE DISPLAY COMMENTS<br> > > ubsw UBSW UBSW Servers<br> > > blmb Bloomberg Bloomberg Frame Relay Network<br> > > brd Broadcast Agencia Estado - Broadcast<br> > > net Net Internet<br> > > trd Traders Rede Traders<br> > > loc Local Local networks<br> > > =3D=3D=3D where loc and trd are internal local subnet where the traders work<br> > > and ubsw, blmb, brd are some of the providers.<br> > ><br> > > =3D=3D=3D interfaces file:<br> > > net eth0 detect routefilter<br> > > - eth1 detect<br> > > =3D=3D=3D where eth1 is the interface connected to my local network and eth0<br> > > to the new subnet.<br> > ><br> > > =3D=3D=3D hosts file:<br> > > #ZONE HOST(S) OPTIONS<br> > > ubsw eth0:172.31.0.0/24<br> > > brd eth0:172.31.6.90/32<br> > > brd eth0:172.31.6.95/32<br> > > blmb eth0:208.134.161.0/24<br> > > blmb eth0:205.183.246.0/24<br> > > blmb eth0:199.105.176.0/21<br> > > blmb eth0:199.105.184.0/23<br> > > loc eth1:10.1.16.0/20<br> > > trd eth1:10.1.32.0/20<br> > ><br> > > =3D=3D=3D masq file:<br> > > #INTERFACE SUBNET ADDRESS<br> > > eth0 eth1 172.31.6.64<br> > > =3D=3D=3D I don=B4t know why, but shorewall creates the following rule to this<br> > > masq line:<br> > > Chain eth0=5Fmasq (1 references)<br> > > target prot opt source destination<br> > > SNAT all -- 10.1.16.0/20 anywhere<br> > > to:172.31.6.64 =3D=3D=3D why only subnet 10.1.16.0/20 is masqued? what about<br> > > 10.1.32.0/20? what did I do wrong?<br> > <br> > You did nothing wrong -- Shorewall only looks at the FIRST address when<br> > you enter a device name in the SUBNET column of the mask file.<br> > <br> > now my main doubt:<br> > > I can=B4t use n to 1 NAT to the servers at brd zone. The server<br> > > connects the first client but does not answer to any other client<br> > > afterwards. So I needed to tell shorewall not to masq packets<br> > > destined to servers 172.31.6.95 and 172.31.6.90. The only way I<br> > > could figure out was creating an start file with the following<br> > > statements:<br> > > run=5Fiptables -I POSTROUTING 2 -t nat -d 172.31.6.95 -j RETURN<br> > > run=5Fiptables -I POSTROUTING 2 -t nat -d 172.31.6.90 -j RETURN<br> > ><br> > > and that makes the POSTROUTING chain look like this:<br> > > Chain POSTROUTING (policy ACCEPT)<br> > > target prot opt source destination<br> > > nat=5Fout all -- anywhere anywhere<br> > > RETURN all -- anywhere 172.31.6.90<br> > > RETURN all -- anywhere 172.31.6.95<br> > > eth0=5Fmasq all -- anywhere anywhere<br> > ><br> > > and that solved the problem but... - Isn=B4t there another way out?<br> > > specially one that wouldn=B4t use the start file? Every time I use a<br> > > start file in a shorewall configuration I feel like I=B4m cheating, you<br> > > know ;-)<br> > <br> > In the masq file, your two entries should look like<br> > <br> > eth0!172.31.6.90,172.31.6.95 10.1.16.0/24<br> > eth0!172.31.6.90,172.31.6.95 10.1.32.0/24<br> > <br> > -Tom<br> > -- <br> > Tom Eastep \ Shorewall - iptables made easy<br> > AIM: tmeastep \ http://shorewall.sf.net<br> > ICQ: #60745924 \ teastep@shorewall.net<br> > <br> > <br> > <br> > =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F<br> > Shorewall-users mailing list<br> > Shorewall-users@shorewall.net<br> > http://www.shorewall.net/mailman/listinfo/shorewall-users<br> </tt></font> --=_alternative 006AB7CF83256C71_=--
> Tom, > > It didn´t work - when I executed the shorewall restart statement the > program issued an error: > > [snip] > MASQUERADE Subnets and Hosts: > Error: Unknown interface eth0!172.31.6.90,172.31.6.95 > > and then I run to my server room... >I humbly beg your pardon. I implemented that syntax for the second column but not the first. You can write: eth0:!172.31.6.90 10.1.16.0/24 (note the ":") but you can''t include a list of exclusions there. So until I get around to adding that feature, you will have to stick with what you are doing. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net