Hi, I'd like to create a secure network-based install for SuSE 9.0 with AutoYaST using iptables. Currently, I have the following working quite well on a private network: - Server at 192.168.1.1 with SuSE 9.0 DVD contents NFS-exported and AutoYast XML control file served via TFTP. - Client connected through switch and booted from SuSE 9.0 CD1 with the following arguments: hostip=192.168.1.2 netmask=255.255.255.0 gateway=192.168.1.1 install=nfs://192.168.1.1/export/i386/SuSE/9.0/DVD autoyast=tftp://192.168.1.1/test-1.xml My goal is to move the server to a semi-public network and install clients in a manner similar to the above, but prohibit any network traffic to the client from anywhere but the server during the process. I've read (most of) Anas' fine AutoYaST documentation, the Linux Bootdisk HOWTO, and the kernel's initrd.txt file, as well as some of the messages on this list. I've missed it if anyone has described how to do this before, but here is my plan of attack: - Copy SuSE 9.0 CD1 to hard drive. - Gunzip and mount the CD's /boot/loader/initrd. - Copy iptables.o to initrd's /modules directory and add an entry to the [autoload] section of initrd's /modules/module.config file. - Unmount and gzip the initrd image. - Create a template entry for the long-winded boot arguments above in the CD's /boot/loader/isolinux.cfg. - Burn a custom SuSE 9.0 CD1 from the hard drive. - Create a pre-script in my test-1.xml file which runs "iptables <some rule>". Has anyone done something similar who can offer advice/comments? I like the extended boot arguments, because I can't rely on PXE or DHCP everywhere. I'm not stuck on iptables, if there's a similar way to do it otherwise. I have the sense that I may be working with the wrong ramdisk (/boot/loader/initrd) since I found no /lib directory and an incredibly sparse /bin directory there... Much appreciated, Roy