-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hiya gang, I happened to notice last night that my RD light on my modem was goin' ape-crazy, and my TD was only once in a while (maybe every 3 or 4 seconds) blinking, so I knew not much was going 'out'. I couldn't for the life of me remember where to look at logs for the firewall, until just now. This is a sample of what I found: Jul 29 19:44:56 linux kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=204.1.226.229 DST=(correct local address) LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=32768 PROTO=TCP SPT=65143 DPT=1054 WINDOW=8192 RES=0x00 SYN URGP=0 Okay, I checked and the SRC was *not* my ISP's remote address, the DST was correct though as *my* assigned address at the time (dial-up modem). I counted 'one second' of these, and had 65 instances within one second. The *only* thing changing at each instance during the one second, was the DPT , which seemed to start at 1024 and go up to 1054, then start at 1024 all over again. So, what I'd like to ask of anyone who knows is... Starting with 'LEN' and going to 'URGP', what do each of those things mean (I think I understand the 'PROTO', heh)? I tried looking some of them up, but wasn't getting anything clear enough for an 'idiot' to understand. Why would only the 'DPT' change, and why only that range? Is/was this a DDoS? It sure didn't bother me any, since I could start a download or surf the web without any noticeable slowdown. Does this mean that SuSEFirewall2 was doing its job well? (I'm leaning strongly toward 'it did a fantastic job') Thanks if anyone finds these questions worth any answers. The curiosity is killin' me. lol John - -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/Kcu3H5oDXyLKXKQRAurxAKDBNACVL5NH1EHZgJMEvCF2cGLpmQCglvfU GdjLvXK7gDNzsm9uFqK3Rv4= =Ukf6 -----END PGP SIGNATURE-----