Problems Corrected in 3.0.4 1) The shorewall.conf file is once again "console friendly". Patch is courtesy of Tuomo Soini. 2) A potential security hole has been closed. Previously, Shorewall ACCEPTed all traffic from a bridge port that was sent back out on the same port. If the port was described in /etc/shorewall/hosts using the wildcard "+" (eg, xenbr0:vif+), this could lead to traffic being passed in variance with the supplied policies and rules. 3) Previously, an intra-zone policy of NONE would cause a startup error. That problem has been corrected. 4) When RETAIN_ALIASES=Yes, the script produced by "shorewall save" did not add the retained aliases. This means that the following sequence of events resulted in missing aliases: shorewall start shorewall restart shorewall save reboot shorewall -f start (which is the default during boot up) 5) When a 2.x standard action is invoked with a log level (example "AllowPing:info"), logging does not occur. New Features in 3.0.4 1) By popular demand, the ''Limit'' action described at http://www1.shorewall.net/PortKnocking.html#Limit has been made a standard action. Limit requires ''recent match'' support in your kernel and iptables. 2) DISABLE_IPV6 no longer disabled local (loopback) IPV6 traffic. This change is reported to improve Java startup time on some distributions. 3) Shorewall now contains support for wildcard ports. In /etc/shorewall/hosts, you may specify the port name with trailing "+" then use specific port names in rules. Example: /etc/shorewall/hosts vpn br0:tap+ /etc/shorewall/hosts DROP vpn:tap0 vpn:tap1 udp 9999 4) For the benefit of those who run Shorewall on distributions that don''t autoload kernel modules, /etc/shorewall/modules now contains load commands for a wide range of Netfilter modules. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key