Hi, I''ve this problem: two debian 4.0 firewalls with shorewall version 3.2.6 i''ve this tcrules on both firewalls: FW1 2:P 192.168.11.0/24 172.16.33.13 tcp 1433 2:P 192.168.0.0/24 172.16.33.13 tcp 1433 FW2 2:P 172.16.33.13/32 192.168.11.0/24 tcp - 1433 2:P 172.16.33.13/32 192.168.0.0/24 tcp - 1433 2:P 192.168.1.10/32 - tcp - 80 The setup works ok, but as soon as one of the end restart their firewall, those two subnet cannot reach the sql server. The tcrules works with a ip rule that force the marked packets to use faster ISP on a dual wan configuration. But if i do a shorewall restart on both the firewall, the connection begin to work again! If i do a shorewall show connections before restarting both the firewall, i get: ON FW1: tcp 6 57 SYN_RECV src=192.168.11.25 dst=172.16.33.13 sport=2165 dport=1433 packets=1 bytes=48 src=172.16.33.13 dst=192.168.11.25 sport=1433 dport=2165 packets=2 bytes=96 mark=0 use=1 tcp 6 59 SYN_RECV src=192.168.11.25 dst=172.16.33.13 sport=2164 dport=1433 packets=1 bytes=48 src=172.16.33.13 dst=192.168.11.25 sport=1433 dport=2164 packets=3 bytes=144 mark=0 use=1 ON FW2: tcp 6 49 SYN_RECV src=192.168.11.25 dst=172.16.33.13 sport=2162 dport=1433 packets=1 bytes=48 src=172.16.33.13 dst=192.168.11.25 sport=1433 dport=2162 packets=3 bytes=144 mark=0 use=1 tcp 6 46 SYN_RECV src=192.168.11.25 dst=172.16.33.13 sport=2161 dport=1433 packets=1 bytes=48 src=172.16.33.13 dst=192.168.11.25 sport=1433 dport=2161 packets=3 bytes=144 mark=0 use=1 If i do a shorewall restart on both the fw, i get: tcp 6 431997 ESTABLISHED src=192.168.11.25 dst=172.16.33.13 sport=2172 dport=1433 packets=86 bytes=9034 src=172.16.33.13 dst=192.168.11.25sport=1433 dport=2172 packets=107 bytes=87702 [ASSURED] mark=0 use=1 And all begin to start working. Any ideas? I''ll supply a shorewall dump if necessary. Thx. -- Giacomo Lancella ----------------------------------------- System & Network Engineer MCSE/MCSA - CCNA giacomo@lancella.com http://giacomo.lancella.com ---------------------------------------- AVVISO DI RISERVATEZZA La seguente email è confidenziale e la sua riservatezza è tutelata legalmente dalla legge 196/2003. Il testo e gli eventuali documenti trasmessi con questa email contengono informazioni riservate al solo destinatario indicato. La lettura, copia od altro uso non autorizzato o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. CONFIDENTIAL NOTE The information in this email is confidential and may be legally privileged.It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/