Hi. I'm really ashamed to be asking this question. Read on, and you'll see why. I previously had a problem with my firewall, which uses SuSEfirewall2, not working with DHCP. Erwin Lam helped me straighten that out, by adding FW_SERVICES_EXT_UDP="bootpc" to the configuration. The firewall was working perfectly. Well, I had the firewall running on an old computer that wasn't good for much else. Last night it died, and I don't have time to fix it right now, so I went out and bought a new one. But I didn't have a backup of its configuration (that's why I'm ashamed), so I had to recreate it from scratch. I included the FW_SERVICES_EXT_UDP="bootpc" this time, but it still fails the same way it used to: It acquires the lease just fine when the computer reboots, but once the firewall is up it can't renew the lease. The system is running SuSE 7.1 with all current patches, including k_deflt-2.4.16-37.i386.rpm I'm sure I just made some stupid mistake here, in my haste to get this thing running. Can anybody spot it? Here's the firewall2 configuration (comments and blank lines omitted): ,---- | FW_DEV_EXT="eth1" | FW_DEV_INT="eth0" | FW_DEV_DMZ="" | FW_ROUTE="yes" | FW_MASQUERADE="yes" | FW_MASQ_DEV="$FW_DEV_EXT" | FW_MASQ_NETS="192.168.1.0/24" | FW_PROTECT_FROM_INTERNAL="yes" | FW_AUTOPROTECT_SERVICES="yes" | FW_SERVICES_EXT_TCP="" | FW_SERVICES_EXT_UDP="bootpc bootps domain" # Common: domain | FW_SERVICES_EXT_IP="domain" | FW_SERVICES_DMZ_TCP="" | FW_SERVICES_DMZ_UDP="" | FW_SERVICES_DMZ_IP="" | FW_SERVICES_INT_TCP="ssh ntp" | FW_SERVICES_INT_UDP="ntp domain" | FW_SERVICES_INT_IP="" | FW_TRUSTED_NETS="" | FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" | FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" | FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when starting | FW_SERVICE_DNS="no" | FW_SERVICE_DHCLIENT="yes" | FW_SERVICE_DHCPD="no" | FW_SERVICE_SQUID="no" | FW_SERVICE_SAMBA="no" | FW_FORWARD="" # Beware to use this! | FW_FORWARD_MASQ="" # Beware to use this! | FW_REDIRECT="" | FW_LOG_DROP_CRIT="yes" | FW_LOG_DROP_ALL="no" | FW_LOG_ACCEPT_CRIT="yes" | FW_LOG_ACCEPT_ALL="no" | FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" | FW_KERNEL_SECURITY="yes" # Also tried this with "no", no difference | FW_STOP_KEEP_ROUTING_STATE="no" | FW_ALLOW_PING_FW="yes" | FW_ALLOW_PING_DMZ="no" | FW_ALLOW_PING_EXT="no" | FW_ALLOW_FW_TRACEROUTE="yes" | FW_ALLOW_FW_SOURCEQUENCH="yes" | FW_ALLOW_FW_BROADCAST="no" | FW_IGNORE_FW_BROADCAST="yes" | FW_ALLOW_CLASS_ROUTING="no" `---- Thanks for your help. I've been staring at this for hours and I can't see the problem. -- Alan Hadsell If brute force doesn't work, you aren't using enough.