diff --git a/Shorewall2/firewall b/Shorewall2/firewall
index 49ee302bb..1d7a5a8d5 100755
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@@ -4043,25 +4043,29 @@ process_rule() # $1 = target
 	        # 16 ports are listed - use multiport match.
 	        #
 		multioption="-m multiport"
-		for client in $(separate_list ${clients:=-}); do
-		    #
-		    # add_a_rule() modifies these so we must set their values each time
-		    #
-		    server=${servers:=-}
-		    port=${ports:=-}
-		    cport=${cports:=-}
-		    add_a_rule
+		for clientrange in $(separate_list ${clients:=-}); do
+		    for client in $(ip_range $clientrange); do
+		        #
+		        # add_a_rule() modifies these so we must set their values each time
+		        #
+			server=${servers:=-}
+			port=${ports:=-}
+			cport=${cports:=-}
+			add_a_rule
+		    done
 		done
 	    else
 	        #
 	        # MULTIPORT is disabled or the rule isn't compatible with multiport match
 	        #
 		multioption=
-		for client in $(separate_list ${clients:=-}); do
-		    for port in $(separate_list ${ports:=-}); do
-			for cport in $(separate_list ${cports:=-}); do
-			    server=${servers:=-}
-			    add_a_rule
+		for clientrange in $(separate_list ${clients:=-}); do
+		    for client in $(ip_range $clientrange); do
+			for port in $(separate_list ${ports:=-}); do
+			    for cport in $(separate_list ${cports:=-}); do
+				server=${servers:=-}
+				add_a_rule
+			    done
 			done
 		    done
 		done
@@ -4081,14 +4085,16 @@ process_rule() # $1 = target
 	        # 16 ports are listed - use multiport match.
 	        #
 		multioption="-m multiport"
-		for client in $(separate_list ${clients:=-}); do
-		    for server in $(separate_list ${servers:=-}); do
-		        #
-		        # add_a_rule() modifies these so we must set their values each time
-		        #
-			port=${ports:=-}
-			cport=${cports:=-}
-			add_a_rule
+		for clientrange in $(separate_list ${clients:=-}); do
+		    for client in $(ip_range $clientrange); do
+			for server in $(separate_list ${servers:=-}); do
+		            #
+		            # add_a_rule() modifies these so we must set their values each time
+		            #
+			    port=${ports:=-}
+			    cport=${cports:=-}
+			    add_a_rule
+			done
 		    done
 		done
 	    else
@@ -4096,11 +4102,13 @@ process_rule() # $1 = target
 	        # MULTIPORT is disabled or the rule isn't compatible with multiport match
 	        #
 		multioption=
-		for client in $(separate_list ${clients:=-}); do
-		    for server in $(separate_list ${servers:=-}); do
-			for port in $(separate_list ${ports:=-}); do
-			    for cport in $(separate_list ${cports:=-}); do
-				add_a_rule
+		for clientrange in $(separate_list ${clients:=-}); do
+		    for client in $(ip_range $clientrange); do
+			for server in $(separate_list ${servers:=-}); do
+			    for port in $(separate_list ${ports:=-}); do
+				for cport in $(separate_list ${cports:=-}); do
+				    add_a_rule
+				done
 			    done
 			done
 		    done
diff --git a/Shorewall2/functions b/Shorewall2/functions
index 791e035b1..04f9bc457 100755
--- a/Shorewall2/functions
+++ b/Shorewall2/functions
@@ -546,13 +546,20 @@ encodeaddr() {
 ip_range() {
     local first last l x y z vlsm
 
-    case $1 in 
-    [0-9]*.*.*.*-*.*.*.*)
-	;;
-    *)
-	echo $1
-	return
-	;;
+    case $1 in
+	!*)
+	    #
+	    # Let iptables complain if it's a range
+	    #
+	    echo $1
+	    return
+	    ;;
+	[0-9]*.*.*.*-*.*.*.*)
+            ;;
+	*)
+	    echo $1
+	    return
+	    ;;
     esac
 
     first=$(decodeaddr ${1%-*})
diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt
index d949ae724..ff262e477 100755
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@@ -431,5 +431,11 @@ New Features:
 
 13) Shorewall now verifies that your kernel and iptables have physdev
     match support if BRIDGING=Yes in shorewall.conf.
-    
+
+14) IP address ranges are now allowed in the SOURCE column of the
+    /etc/shorewall/rules file.
+    
+    Example:
+
+	ACCEPT	net:192.0.2.9-192.9.2.17	fw	tcp	25
 
diff --git a/Shorewall2/rules b/Shorewall2/rules
index e632cbeef..3441ef34d 100755
--- a/Shorewall2/rules
+++ b/Shorewall2/rules
@@ -118,6 +118,9 @@
 #			address; mac addresses must begin with "~" and must use
 #			"-" as a separator.
 #
+#			Hosts may be specified as an IP address range using the
+#			syntax <low address>-<high address>.
+#
 #			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
 #
 #			net:155.186.235.0/24	Subnet 155.186.235.0/24 on the
@@ -129,6 +132,10 @@
 #			loc:~00-A0-C9-15-39-78  Host in the local zone with
 #                                               MAC address 00:A0:C9:15:39:78.
 #
+#			net:192.0.2.11-192.0.2.17
+#						Hosts 192.0.2.11-192.0.2.17 in
+#						the net zone.
+#
 #			Alternatively, clients may be specified by interface
 #			by appending ":" to the zone name followed by the
 #			interface name. For example, loc:eth1 specifies a
@@ -159,7 +166,7 @@
 #				3. You may not specify both an interface and
 #				   an address.
 #
-#			Unlike in the SOURCE column, you may specify a range of
+#			Like in the SOURCE column, you may specify a range of
 #			up to 256 IP addresses using the syntax
 #			<first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
 #			the connections will be assigned to addresses in the