Folks, Below is a portion of the firewall log for a firewall machine I set up a few weeks ago. In general it runs SuSE 6.4 w/ all updates from SuSE's site (security and plain upgrades) as of 12-26-2000. I also ran harden_suse (hardsuse-2.6-2) to secure the permissions, daemons, login processes, etc. The machine runs kernel 2.2.16, w/ ipchains and masquerades a local network connection to the internet over cable modem. What I would like to find out is if anyone has seen log entries that appear to have been deleted. These are 4 separate lines, each of which should end w/ a (#35) or similar number for the rule that caused the log entry. As you can see lines 2 (containing only a period) and 3 are incomplete. I have never delt with such issues before and wanted to know if any one else has experienced similar incidents. More to the point, which possibility does this indicate: 1) Some strange (and hopefully known) behavior of the kernel logger, or ... 2) Someone is silently hacking away at my machine and sloppily deleting log entries trying to cover their trail. Any feedback is welcome, thanks. Stuart ----- entries from /var/log/firewall ----- Jan 4 00:03:41 <firewall host name> input ACCEPT eth0 PROTO=6 216.33.107.211:80 <firewall ip>:61016 L=52 S=0x00 I=51812 F=0x0000 T=245 (#35) . (#35) Jan 4 00:03:41 <firewall host name> input ACCEPT eth0 PROTO=6 216.33.107.211:80 <firewall ip>:61016 L=1500 S=0x00 I=51810 F=0x0000 T=245 (#35) __________________________________________________ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/