Hi, Is it there any way to configure stateful packet inspection rules in SuSEfirewall2 for masquerade networks? When I configure a rule in FW_MASQ_NETS in order to allow traffic from the outside to the DMZ, I also have to configure a rule for responses. Example: Incoming traffic to my web server in a DMZ with private addresses FW_FORWARD_MASQ="0/0,192.168.1.5,tcp,80 I also need to set up the following rules in order to let responses out FW_MASQ_NETS="192.168.1.5/32,0/0,tcp,1024:65535" This rule permits not only established sessions, but additionally it allows my web server to establish connections to the outside world. Dont know why the FW_FORWARD rules are stateful as I want, but FW_MASQ_NETS ones dont. Any suggestion? Is it possible to math the SYN, ACK and FIN TCP bits with SuSEfirewall2? Thanks in advance. Pablo Ronco