Recently I changed the NAT/firewall setup scripts on my Debian box to Shorewall from ipmasp, because I couldn't figure out how to configure DNAT using ipmasq. There is problem with the Shorewall setup that I cannot find any references to, neither in the docs nor googling. This box does NAT/firewall for my small office LAN through a dial-up connection[1]. On boot as Shorewall tries to start I get messages saying: "modprobe: modprobe: can't locate module ppp0", until the script times out after 180s. After that, however it seems to work fine. The issue is that this extends the startup time by 3 minutes. I think this is because, following the "two interface setup" in the docs, I have set wait_interface="ppp0" in /etc/default/shorewall and this causes /usr/share/shorewall/wait4ifup to be executed. Since it's a dialup connection it can't find ppp0 at boot time, hence the problem. Removing the wait_interface causes the startup of Shorewall to fail. Seems like this would be a common issue and since I can't find any references to it this makes me think I have missed something fundamental in the setup. Apart from this issue the rest of the setup works fine. Ipmasq handles this situation by setting up LAN stuff at boot and then having a /etc/ppp/ip-up script to setup the external interface stuff. What is the right way to resolve this issue? The solution I'm after is the "standard, out of the box" one. This is because if I put in customised stuff I will inevitably forget about it and then wonder why it's broken next time I uprade something[2]. For now I have disabled shorewall at startup and added a script that contains only "/sbin/shorewall restart" to /etc/ppp/ip-up.d. This works but also involves customisation beyond what is described in the docs and is additional to the configuration provided by the package. Ie if I remove the shorewall package my script will not be deleted. I could just set the timeout in wait4ifup to be a smaller value, like 1sec, which would solve the problem but that seems like a hack that I shouldn't need, but it's more likely to be removed if I remove/purge the package. Glenn [1] in case you were wondering, DSL is not available where I live. [2] and it's frustrating enough dealing with the stuff that breaks all by itself when you upgrade something -- Glenn Ramsey <glenn(a)componic.co.nz> 07 8627077 http://www.componic.co.nz