There is a recent security hole in the ipchains IP forwarding mechanism that can allow arbitrary packets through the ipchains filters if a fragment overlap tactic is used to rewrite the address in the header. A "fragrouter" exploit has been written which makes it particularly easy for hackers to exploit this hole. The patch has been incorporated into the Linux 2.2.11 kernel as blessed/released by Linus on August 9, 1999. This kernel (or, marginally, a patched version of the 2.2.5 kernel) should be packaged and released ASAP! For more information, visit: http://www.securityfocus.com/vdb/bottom.html?vid=543