Problems corrected in Shorewall-perl 4.0.8. 1) Mark tests (such as in the TEST column of tcrules or the MARK column of the rules file) were ignoring the value 0. As part of this fix, the default mask generated by entries in these columns has been changed from 0xFF to 0xFFFF for compatibility with Shorewall-shell. 2) The compilation date recorded in the firewall.conf file produced by Shorewall-perl was previously mangled. 3) The ability to specify a DEST IP range (round-robin) in a DNAT rule has been restored. In versions 4.0.5 - 4.0.7, an IP range was incorrectly flagged as an error. Problems corrected in Shorewall-shell 4.0.8. 1) Shorewall-shell now properly parses comma separated SOURCE (formerly SUBNET) values in the masq configuration file. Previously, the comma separated list was not split up into its components, resulting in an invalid address being passed to the iptables command. Example: # /etc/shorewall/masq #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth0 192.168.2.1,192.168.2.3 Known Problems Remaining. 1) The ''refresh'' command doesn''t refresh the mangle table. So changes made to /etc/shorewall/providers and/or /etc/shorewall/tcrules may not be reflected in the running ruleset. Other changes in 4.0.8. None. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/