Using Shorewall version 1.4.1, it is impossible to make the firewall route traffic from a group of hosts back to itself. This makes it very awkward to set up access by external IP to a local server (FAQ#2) and to set up a transparent proxy in your local network (you basically have to place the server(s) in its/their own zone). This problem is corrected in Shorewall version 1.4.2 through the addition of the ''routeback'' option in the interfaces and hosts files. If you are using either of the setups described above, I strongly recommend that you not run Shorewall 1.4.1 and that you install 1.4.2 instead. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net