DMZ egress access problem

Hi, I have a bit of a problem connecting from DMZ to the outside world. I have a DMZ with real IP numbers (not masqueraded) and the corresponding routing setup (which is working just fine). I allow port 80 and 22 to the DMZ, which is working great too. But... The problem is that from a DMZ host one cannot download patches; no DMZ -> internet connection is allowed at all and I cannot find a (safe) solution. These are my settings: Outside net X.Y.Z.144/28 DMZ net X.Y.Z.160/28 LAN 192.168.1.0/24 My outside I/F is X.Y.Z.146. DMZ I/F is X.Y.Z.161 These are the relevant sections of SuSEfirewall I have configured FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_DEV_DMZ="eth2" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="eth0 eth2" FW_FORWARD="0/0,X.Y.Z.160/28,tcp,80 0/0,X.Y.Z.160/28,tcp,22 X.Y.Z.160/28,0/0" That last rule should allow access to internet, right ? But it doesn't. With a sniffer I see packets leaving the firewall and they come back to eth0 whereafter they disappear. So probably the rule that should allow it back (I mean the smart rule) doesn't apply or it has a bug. If I add this bit it works,but then I open up the entire DMZ again (evil) 0/0,X.Y.Z.160/28 And since I cannot define SOURCE portnumbers in FW_FORWARD, only DEST portnumbers, I see no workaround. Because obviously the destination ports are random >1024 ports. The construct 0/0,tcp,80,X.Y.Z.160/28 is not allowed according to the docs. Or is it...? (And besides, that is not very safe since anyone could then spoof that source port number anyway) I can probably solve it by patching some things around inside the real firewallscript but that is not why I'm writing this... I wonder how you are _supposed_ to solve this in the proper way. Are my rules wrong, or do you all disregard the FW_FORWARD line entirely and do it all from one of the hooks in the FW_CUSTOMRULES file ? I searched these mailarchives but a solution is not easy to find. For one, just looking for "DMZ" obviously gives thousands of hits and more importantly everyone seems to use a masqueraded DMZ anyway (As do the SuSE examples) so that does not really apply to my situation. Any insights ? Maarten