"Dark Ryder" has reported a bug in Shorewall 1.4.7; this bug is also present in Shorewall 1.4.8. The effect of the bug is that in DNAT rules that specify SNAT, the SNAT address can be effectively ignored in some cases. I have created corrected versions of the ''firewall'' script for both 1.4.7 (based on 1.4.7c) and 1.4.8; these corrections may be downloaded from the Errata page (http://www.shorewall.net/errata.htm). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net