Hi I have this scenario: Subnet A Hosts n ----- Gateway ----- Fileservers NFS Hosts n: mark packets Gateway: uses mark to make routing desicion Hosts n get their IP address via DHCP (IP address lease decision based on the client's MAC address). It is extremely simple to attach a notebook to Subnet A, spoof a legal client's IP and MAC addresses get UID and username and do the worst. Over the weekend I tried packet marking using iptables mark and connmark targets to label pakets at the Hosts n (iptables output -j MARK rule) and to have the Gateway based on these labels decide what to do with the pakets (ip rule with fwmark). I stopped trying when I found out that the labels are not given permanently when a marked packet leaves the interface of a host n. As I very much like the idea of labeling packets I wonder whether such a concept is possible with other linux tools. Or how would you do it? Thanks for your attention Philipp --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org