I've looked into this but can't see how the described situation can happen. Maybe something changed in SuSEfirewall in the meantime, so that this no longer applies? The FORWARD chain runs in policy DROP, i.e. all packets that are not explicitly whitelisted by some rule will not be forwarded. All ACCEPT rules in the forward chains created by SuSEfirewall2 only match on "--ctstate NEW,RELATED,ESTABLISHED", i.e. state INVALID should never be forwarded. Maybe it's only a special configuration when this can happen. I've tested this with options like: FW_FORWARD_MASQ="10.0.0.0/8,192.168.2.3,tcp,23,22" FW_MASQUERADE="yes" FW_MASQ_DEV="ens3" FW_MASQ_NETS="192.168.1.0/24" I think that covers all masquerading related options of SuSEfirewall2.