I run Shorewall on a Bering router and need to do some (what I would call) source-depending DNAT (Port-FW). I want all incoming udp connections to 200.171.1.1:1111 from subnet 200.0.0.0/8 forwarded to 192.168.1.1:1111 (just an example). All other iuncoming connections to 200.171.1.1:1111 I want to forward to 192.168.1.2:1111. Could I do something like this??? ACTION SOURCE DESTINATION PROTOCOL DESTINATION SOURCE ORIGINAL PORT PORT DESTINATION DNAT net:200.0.0.0/8 loc:192.168.1.1:1111 udp 1111 - 200.171.1.1 DNAT net:!200.0.0.0/8 loc:192.168.1.2:1111 udp 1111 - 200.171.1.1 I have no means to test the "net:!200.0.0.0/8" statement. Many thanks for helping a "Shorewall-Greenhorn". Juergen