My new DSL line came complete with a new Modem that is configured/monitored from a web browser. That inspired me to add a couple of new features to to the masq file which you can find in 2.1.1 (see attached release notes, New Feature 2). The modem has IP address 192.168.1.1 and is connected to eth0. My local network is 192.168.1.0/24 and is connected to eth2 which has IP address 192.168.1.254. /etc/shorewall/masq has added: +eth0::192.168.1.1 0.0.0.0/0 192.168.1.254 The above rule uses the new features: The leading "+" causes the rule to be placed ahead of one-to-one NAT rules. The "::" prevents ADD_SNAT_ALIASES=Yes from trying to add 192.168.1.254 as an IP address on eth0. /etc/shorewall/proxyarp has added 192.168.1.1 eth0 eth2 yes /etc/network/interfaces (Debian-specific) has the last line below added: iface eth0 inet static address 206.124.146.176 netmask 255.255.255.0 network 206.124.146.0 broadcast 206.124.146.255 gateway 206.124.146.254 up ip route add 192.168.1.1 dev eth0 Voila! I can access the web server in the modem from both the firewall and my local network. http://shorewall.net/pub/shorewall/2.1/shorewall-2.1.1 ftp://shorewall.net/pub/shorewall/2.1/shorewall-2.1.1 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net