Comment # 3 on bug 944355 from Matthias Gerstner

I've looked into this but can't see how the described situation can happen.

Maybe something changed in SuSEfirewall in the meantime, so that this no
longer applies?

The FORWARD chain runs in policy DROP, i.e. all packets that are not
explicitly whitelisted by some rule will not be forwarded.

All ACCEPT rules in the forward chains created by SuSEfirewall2 only match on
"--ctstate NEW,RELATED,ESTABLISHED", i.e. state INVALID should never be
forwarded.

Maybe it's only a special configuration when this can happen. I've tested this
with options like:

  FW_FORWARD_MASQ="10.0.0.0/8,192.168.2.3,tcp,23,22"
  FW_MASQUERADE="yes"
  FW_MASQ_DEV="ens3"
  FW_MASQ_NETS="192.168.1.0/24"

I think that covers all masquerading related options of SuSEfirewall2.