Hello I have been working on a solution to a firewall I have been asked to build now for a week, and I have learnt a lot, but am repeatedly running into the fact I am doing something fundementally wrong. 217.34.xxx.high_end DSL ROUTER | | Firewall2 -----------------------217.34.xxx.low_end (Named/SQUID) | EXHCANGE Server | | | |-----------217.34.xxx.low_end | Backup Server | DHCP LAN Since I did not get to call the shots on the setup of their network the LAN needs to be able to see the services on the DMZ machines. and the DHCP machines need to be masqueraded to the outside world. Through change after change I have managed to get the initial issue solved (subnetting correctly so it knows where the lower and higher IP's are - Doh!). My boss is pushing for another solution - but I am confident I can solve it with this - although I am not producing the goods. If anyone has a similar configuration, or is willing to offer me some wise words - then please contact me directly. Many thanks AH -- For your amusement... # 2.) FW_DEV_EXT="eth0" # 3.) FW_DEV_INT="eth2" # 4.) FW_DEV_DMZ="eth1" # 5.) FW_ROUTE="yes" # 6.) FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="$INT_LAN_RANGE,0/0,tcp,20 $INT_LAN_RANGE,0/0,tcp,21 $INT_LAN_RANGE,0/0,tcp,22 $INT_LAN_RANGE,0/0,tcp,23 $INT_LAN_RANGE,0/0,tcp,25 $INT_LAN_RANGE,0/0,tcp,37 $INT_LAN_RANGE,0/0,udp,37 $INT_LAN_RANGE,0/0,udp,43 $INT_LAN_RANGE,0/0,udp,53 $INT_LAN_RANGE,0/0,tcp,53 $INT_LAN_RANGE,0/0,tcp,80 $INT_LAN_RANGE,0/0,tcp,110 $INT_LAN_RANGE,0/0,tcp,113 $INT_LAN_RANGE,0/0,tcp,123 $INT_LAN_RANGE,0/0,udp,123 $INT_LAN_RANGE,0/0,tcp,143 $INT_LAN_RANGE,0/0,tcp,443 $INT_LAN_RANGE,0/0,tcp,554 $INT_LAN_RANGE,0/0,tcp,993 $INT_LAN_RANGE,0/0,tcp,1863 $INT_LAN_RANGE,0/0,tcp,2401 $INT_LAN_RANGE,0/0,tcp,5800 $INT_LAN_RANGE,0/0,tcp,5900 $INT_LAN_RANGE,0/0,tcp,6800:6900 $INT_LAN_RANGE,0/0,udp,6800:6900 $INT_LAN_RANGE,0/0,tcp,6901 $INT_LAN_RANGE,0/0,udp,6901 $INT_LAN_RANGE,0/0,tcp,6970:7170 $INT_LAN_RANGE,0/0,tcp,7070" # 7.) FW_PROTECT_FROM_INTERNAL="yes" # 8.) FW_AUTOPROTECT_SERVICES="yes" # 9.) FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" # Common: domain FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="53 3128" FW_SERVICES_DMZ_UDP="53" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="23 53 3128" FW_SERVICES_INT_UDP="53" FW_SERVICES_INT_IP="" # 10.) FW_TRUSTED_NETS="$EXT_ZFT_GATE,tcp,22" #SSH/SCP from our gateway # 11.) FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" # 12.) FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when starting FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="yes" FW_SERVICE_SAMBA="no" # 13.) FW_FORWARD="$INT_LAN_RANGE,$DMZ_IP_RANGE 0/0,$DMZ_EXCHANGE,tcp,25 0/0,$DMZ_EXCHANGE,tcp,80 0/0,$DMZ_EXCHANGE,tcp,135 0/0,$DMZ_EXCHANGE,tcp,443 0/0,$DMZ_BACKUP,tcp,21 0/0,$DMZ_BACKUP,tcp,20" # 14.) FW_FORWARD_MASQ="" # Beware to use this! # 15.) FW_REDIRECT="" # 16.) FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" # 17.) FW_KERNEL_SECURITY="yes" # 18.) FW_STOP_KEEP_ROUTING_STATE="yes" # 19.) FW_ALLOW_PING_FW="no" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes -- a n t h o n y h o g b i n -----------------------------------------------------