Sorry for the back-to-back releases but there have been quite a few bugs found in 3.0.0 so it seems like a good idea to make 3.0.1 available now. Problems Corrected in 3.0.1 1) If the previous firewall configuration included a policy other than ACCEPT in the nat, mangle or raw tables then Shorewall would not set the policy to ACCEPT. This could result in a ruleset that rejected or dropped all traffic. 2) The Makefile was broken such that ''make'' didn''t always work correctly. 3) If the SOURCE or DEST column in a macro body was non-empty and a dash ("-") appeared in the corresponding column of an invocation of that macro, then an invalid rule was generated. 4) The comments in the /etc/shorewall/blacklist file have been updated to clarify that the PORTS column refers to destination port number/service names. 5) When CLAMPMSS is set to a value other than "No" and FASTACCEPT=Yes, the order of the rules generated was incorrect causing RELATED TCP connections to not have CLAMPMSS applied. New Features in 3.0.1 1) To make the macro facility more flexible, Shorewall now examines the contents of the SOURCE and DEST columns in both the macro body and in the invocation and tries to create the intended rule. If the value in the invocation appears to be an address (IP or MAC) or the name of an ipset, then it is placed after the value in the macro body. Otherwise, it is placed before the value in the macro body. Example 1: /etc/shorewall/macro.foo: PARAM - 192.168.1.5 tcp http /etc/shorewallrules: foo/ACCEPT net loc Effective rule: ACCEPT net loc:192.168.1.5 tcp http Example 2: /etc/shorewall/macro.bar: PARAM net loc tcp http /etc/shorewall/rules: bar/ACCEPT - 192.168.1.5 Effective rule: ACCEPT net loc:192.168.1.5 tcp http -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key