[0:root@apinetstore shorewall]$ rpm -qa | grep -i shorewall shorewall-core-4.5.15-1.fc19.noarch shorewall-4.5.15-1.fc19.noarch There is a bug in tcrules processing that will not allow you to OR a mark: /etc/shorewall/tcrules: $MEMPHIS_VPN1_FWMARK/$CONNMASK $FW:+IpUp $MEMPHIS_COMCAST_VPN_IP esp |$NEW_OUTPUT_MARK $FW - all - - - !0/$CONNMASK CONTINUE $FW - all - - - !0/$CONNMASK This will not compile without the attached patch. Notice the ! and the | characters. Thanks for all the effort put in to making Shorewall a great tool. Bill ------------------------------------------------------------------------------ WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk