Hi! I am in trouble because of my SuSE firewall2 settings. I have a firewall with six network adapters. One of them points to the DMZ, one of them points to the internal network and the others point to untrusted external worlds. There is a web server and a mail server running on the DMZ. Everybody can access the web server and the mail server (from the external world or from the internal network). The DMZ has a private IP address. Everybody use the proper IP address of the firewall to access the services on the DMZ server. It works fine. I wanted to use the same method for the internal network. And there is a strange behaviour. I know thta the firewall does not route between the DMZ and the internal net by default (bot he the DMZ and the internal net are masqueraded) so I used the FW_FORWARD optiona to access mail and web services from internal on DMZ. The IP address of the DMZ server is 192.168.122.2 and the internal net is 192.168.120.0/24 where 192.168.120.1 point to the interface of the firewall. I tried the 192.168.120.1 in my WEB browser (from the internal network) and it did not work. After that I tried the 192.168.122.2 and it worked. But why? I think I must use the IP address of the firewall to access services behind the firewall with FW_FORWARD and FW_FORWARD_MASQ options. Can anobody explain how it works? I already checked the relevant pdf documentations but they did not help. If I try to access theWEB server from the internet and I specify the IP address of the firewall, then it works fine. But it does not work from the internal network on the same way. And there is a second more serious problem. OK, I use the 192.168.122.2 from internal network to access web and mail. I tried to check my e-mails with IMAP from the internal network. It worked but there were a long delay. The firewall log showed: Jun 18 00:28:49 (none) kernel: SuSE-FW-ACCEPT-TRUST IN=eth0 OUT=eth1 SRC=192.168.120.30 DST=192.168.122.2 LEN=44 TOS=0x00 PREC=0x00 TTL=127 ID=19187 DF PROTO=TCP SPT=4177 DPT=143 WINDOW=44032 RES=0x00 SYN URGP=0 OPT (020405B4) Jun 18 00:28:49 (none) kernel: SuSE-FW-DROP-DEFAULT IN=eth1 OUT=eth0 SRC=192.168.122.2 DST=192.168.120.30 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=57671 DF PROTO=TCP SPT=40188 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A034647B10000000001030300) Jun 18 00:28:52 (none) kernel: SuSE-FW-DROP-DEFAULT IN=eth1 OUT=eth0 SRC=192.168.122.2 DST=192.168.120.30 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=57672 DF PROTO=TCP SPT=40188 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A034648DD0000000001030300) Jun 18 00:28:58 (none) kernel: SuSE-FW-DROP-DEFAULT IN=eth1 OUT=eth0 SRC=192.168.122.2 DST=192.168.120.30 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=57673 DF PROTO=TCP SPT=40188 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A03464B350000000001030300) I think the SuSE-FW-DROP-DEFAULT cause the delay. Any help would be apprecieted. Best regards, Sandor Toth Ps: I use SuSE 8.2 Prof My routing table is: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.12.2.64 0.0.0.0 255.255.255.248 U 0 0 0 eth2 192.168.102.0 192.168.121.254 255.255.255.0 UG 0 0 0 eth4 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth5 192.168.14.0 192.168.121.254 255.255.255.0 UG 0 0 0 eth4 192.168.120.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.121.0 0.0.0.0 255.255.255.0 U 0 0 0 eth4 192.168.106.0 192.168.121.254 255.255.255.0 UG 0 0 0 eth4 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 0.0.0.0 10.12.2.65 0.0.0.0 UG 0 0 0 eth2 My SuSE firewall settings are: FW_QUICKMODE="no" FW_DEV_EXT="eth2 eth3 eth4 eth5 ppp0" FW_DEV_INT="eth0" FW_DEV_DMZ="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.120.0/24 192.168.122.0/24" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="domain" FW_SERVICES_DMZ_UDP="domain" FW_SERVICES_DMZ_IP="tcp" FW_SERVICES_INT_TCP="domain ssh 224" FW_SERVICES_INT_UDP="domain" FW_SERVICES_INT_IP="tcp" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="192.168.120.0/24,192.168.122.2,tcp,23 \ 192.168.120.0/24,192.168.122.2,tcp,80 \ 192.168.120.0/24,192.168.122.2,tcp,139 \ 192.168.120.0/24,192.168.122.2,tcp,25 \ 192.168.120.0/24,192.168.122.2,tcp,110 \ 192.168.120.0/24,192.168.122.2,tcp,143" FW_FORWARD_MASQ="\ 192.168.14.0/24,192.168.120.19,tcp,3389 \ 192.168.14.0/24,192.168.120.18,tcp,7781 \ 192.168.14.0/24,192.168.120.18,tcp,445 \ 192.168.14.0/24,192.168.122.2,tcp,23 \ 192.168.14.0/24,192.168.120.18,tcp,1522 \ 192.168.14.0/24,192.168.120.13,tcp,80 \ 192.168.14.0/24,192.168.120.30,tcp,6000 \ 192.168.14.0/24,192.168.120.18,tcp,139 \ 0/0,192.168.122.2,tcp,25 \ 0/0,192.168.122.2,tcp,110 \ 0/0,192.168.122.2,tcp,143 \ 0/0,192.168.122.2,tcp,80 \ 192.168.102.101,192.168.120.30,tcp,6000 \ 192.168.102.102,192.168.120.30,tcp,6000" # Beware to use this! FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="no" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="no" FW_ALLOW_FW_SOURCEQUENCH="no" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV=""