Hi Marc and all on the list! Short abstract: How to profit from SuSEfirewall2 when having to use a bridge as `gateway/firewall'? Long version: Our institute has put up a packetfilter on a linux-2.2.19 with the bridge-ipchains patches. We have to use a bridge for this (policy of the internat university net that you don't have access to the routers). Since the bridge-ipchains patches work special in the respect that all packets traversing the bridge have to be filtered in the br0 chain no `predesigned' packetfilter could work. Now the bridge-netfilter code is stable (although version number 0.0.2 ;-) and the filtering way has changed so that the packets traversing the bridge are checked in the FORWARD table. Since we want to profit from the good work done on SuSEfirewall2 and the improved filtering options of netfilter and especially because we are - a typical problem of universities - only part time sysadms and primary logicians/mathematicians I want to use SuSEfirewall2 to replace my homegrown ruleset. Now the question: Is this possible at all? Problems I found: The IP address for DEV_INT and DEV_EXT are the same due to being a bridge. I also want to do all the filtering done for the INPUT line for the FORWARD line. Hoping to hear a few suggestions I wish all a good time Best wishes Norbert ----------------------------------------------------------------------- Norbert Preining <preining@logic.at> University of Technology Vienna, Austria gpg DSA: 0x09C5B094 ----------------------------------------------------------------------- IBSTOCK (n.) Anything used to make a noise on a corrugated iron wall or clinker-built fence by dragging it along the surface while walking past it. 'Mr Bennett thoughtfully selected a stout ibstock and left the house.' - Jane Austen, Pride and Prejudice, II. --- Douglas Adams, The Meaning of Liff