Tom and whoever else might know the answer - I''m still working on getting shorewall and snort_inline in series, and the snort_inline developer has a question that I don''t know the answer to (I''m not even sure I understand the question). quote: I am not totally sure, but i think only NEW traffic is passed the to the QUEUE. As soon as it is ESTABLISHED, it will be ACCEPTed by the above ''-A net2fw -m state --state RELATED,ESTABLISHED -j ACCEPT'' rule. But like i said, i''m not completely sure, so you better check the shorewall support channels for that. If i am right, snort_inline will hardly see any traffic, so then it is not so strange it doesn''t cause alerts... end quote. So I guess I need to know under what circumstances a packet is routed to QUEUE - every packet, or just the first packet of a series of transactions? and if the latter, is there a way to change it? Thanks! Mike- -- If you''re not confused, you''re not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments, ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click