Hi,

Nice script. I will be the first to admit I still need to learn alot more about packet filtering however I am getting continuous deny entries like

Dec 17 15:47:24 machine_name kernel: Packet log: input DENY eth0 PROTO=17 222.111.100.128:520 222.111.100.255:520 L=32 S=0x00 I=7066 F=0x0000 T=64 (#6) Dec 17 15:47:24 machine_name kernel: Packet log: input DENY eth1 PROTO=17 192.168.0.1:520 192.168.0.255:520 L=32 S=0x00 I=7067 F=0x0000 T=64 (#5)

have you the routing daemon running on your firewall? from the rule number which denied the packets, it looks like that (#4 and #5) ... the reason is simple: the firewall itself sends a broadcast to the network. because it's a broadcast the same firewall interface, which sent the packet also receives a copy. then the filter rules hit, because the screening rules identify this packet as an ip-spoofed packet ... solution: don't run broadcast services on the firewall. especially samba (hi frank :-) , and routed are a very bad idea. to subvert or DOS the firewall through RIP spoofing is rather trivial... I'll add something for a future version of the script.

Also I added $IPCHAINS -M -S 14400 10 60

to the SuSEfirewall script since I like to keep ssh sessions to my work open for long periods of time. Might want to consider adding this by default.

any other opinions? do you people think this is a good idea?

And any pointers towards VPN Masquerading would be helpful. Specifically, do I need to VPN Masquerading Kernel Patch for SuSE 6.3 (kernel 2.2.13)?

have you taken a look at the freeswan package? Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C