On 09/27/2012 06:36 AM, Steve Clark wrote: > I was trying to figure out what criteria to use to mark the connection. > FTP is such a > braindead application, using to channels and active and passive mode. > What really > needs to happen is someway to tell the kernel to recheck the routing > after SNAT. I'm mostly sure that if you mark the *connection* to the FTP server, the related data will follow its path. Again, multipath routing is complex, and Shorewall will do it properly. At the very least, I recommend building a working configuration with Shorewall and then reading the rules that it compiles to understand why it handles routing the way that it does.