thanks Tom,
apologies for the obscured output, I am not at liberty to put the full dump on the mailing list, as much as I would like to, and I know it annoys you.

I will see how I go about gathering more info and get back to the list.

my ipset only contains sources, and I want to only allow the port forward from those sources.

shorewall show dynamic cust gives no output, but ipset -L does as per above.
is that a clue?