I''ve decided to make a late addition to 1.4.0. A number of you have encountered a problem whereby TCP connections could not be established to certain sites. The solution was to turn of Explicit Congestion Notification (ECN -- RFC 3168). I have added a facility whereby ECN may be turned off on a host or network basis. A new /etc/shorewall/ecn file (format is the same as /etc/shorewall/routestopped) defines the sites for which ECN is to be disabled. To use the new facility: a) You must be running kernel 2.4.20. b) You must have applied the ECN checksum fix from patch-o-matic or from http://www.shorewall.net/pub/shorewall/ecn/patch. c) You must be running iptables 1.2.7a. Note to patch-o-matic users -- If you install the pptp NAT/connection tracking patch, you must install the latest CVS version of iptables-1.2.7a. That version of iptables will then be incompatible with all other kernels that you have :-( You may then turn on ECN on your firewall and other Linux systems (one way to do that is to include this command in /etc/shorewall/init: echo 1 > /proc/sys/net/ipv4/tcp_ecn -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net