Sam, I'm not sure what you are running into, but if you did a quick swap and test, your switches may not have caught up to the changes by the time you tested. I ran into that when doing a midday cutover to a new firewall. You can avoid that by pinging from Leaf to the DNAT target and vice-versa. Once you see those pings going, this is a non-issue.
Here is a rule from a functional firewall that is DNAT'ing traffic arriving on a specific interface (in this case the only one in zone net2) and a specific (fake) IP on that interface for you to compare to the old version of the rule. > DNAT net2 loc:10.1.3.4 tcp 80 - 69.254.254.254 On 5/21/2012 4:52 PM, Sam Cappello wrote: > Hi, > I have been running shorewall 1.3.9b on lrp Bering 1.0-rc4 for many ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users