This update will be of interest to you if you use dynamic zones or if you have an /etc/shorewall/start file and use the ''save'' command. http://shorewall.net/pub/shorewall/2.0/shorewall-2.0.12 ftp://shorewall.net/pub/shorewall/2.0/shorewall-2.0.12 Problems Corrected: 1. A typo in shorewall.conf (NETNOTSYN) has been corrected. 2. The "shorewall add" and "shorewall delete" commands now work in a bridged environment. The syntax is: shorewall add <interface>[:<bridge port>][:<address>] <zone> shorewall delete <interface>[:<bridge port>][:<address>] <zone> Examples: shorewall add br0:eth2:192.168.1.3 OK shorewall delete br0:eth2:192.168.1.3 OK 3. Previously, "shorewall save" created an out-of-sequence restore script. The commands saved in the user''s /etc/shorewall/start script were executed prior to the Netfilter configuration being restored. This has been corrected so that "shorewall save" now places those commands at the end of the script. To accomplish this change, the "restore base" file (/var/lib/shorewall/restore-base) has been split into two files: /var/lib/shorewall/restore-base -- commands to be executed before the Netfilter configuration is restored. /var/lib/shorewall/restore-tail -- commands to be executed after the Netfilter configuration is restored. 4. Previously, traffic from the firewall to a dynamic zone member host did not need to match the interface specified when the host was added to the zone. For example, if eth0:1.2.3.4 is added to dynamic zone Z then traffic out of any firewall interface to 1.2.3.4 will obey the fw->Z policies and rules. This has been corrected. New Features: 1. Variable expansion may now be used with the INCLUDE directive. Example: /etc/shorewall/params FILE=/etc/foo/bar Any other config file: INCLUDE $FILE -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key