On Mon, 1 Apr 2002, Alan Hadsell wrote: AH> Hi -- AH> AH> My system specs: Small LAN, mixed Windows and SuSE Linux 7.1. One box AH> is directly connected to the Internet via a cable modem, performing AH> firewall and masquerading duty for the other machines on the system. AH> This box is running the kernel from k_i386-2.4.16-34.i386.rpm. It AH> also runs SuSEfirewall2 (2.1.0) and ICSA DHClient (from the 7.1 AH> distribution CDRom). When it's working, it works very well. AH> AH> My problem: When the DHCP lease times out, the firewall box can't AH> acquire a new one. It appears that the firewall's anti-spoofing rules AH> are blocking the DHCP server's reply. At the time when this happens, AH> I get numerous SuSE-FW-DROP-ANTI-SPOOFING messages with source port = AH> 67 and destination port = 68. At this point, I lose all Internet AH> connectivity until I reboot the firewall box. AH> AH> My configuration includes FW_SERVICE_DHCLIENT="yes". AH> AH> Although I have a reasonable theoretical understanding of iptables, I AH> have to admit that the SuSEfirewall2 script, especially in the area of AH> antispoofing, is well beyond me. If anyone can help with this, I'm AH> all ears. AH> AH> Thanks, AH> AH> Hello Alan, You also need to set FW_SERVICES_EXT_UDP="bootpc" Regards, Erwin Lam -- Erwin Lam (erwin.lam@gmx.net)