Hello, I'm trying to configure a webserver (SuSE 9.1), with a SUSE firewall, and perhaps also with samba fileshares, though I'm not sure there's a reasonably secure way of doing this. ssh should also be accessible. There is no internal (private) network. The server, and the machines accessing the fileshares, are part of a university network. All machines access the internet through that network; nothing from them (or to them) goes through the firewall, which should only protect the machine running the webserver and the samba shares. The server host and the samba clients belong to the same DNS subdomain, and have an IP address block like 222.222.222.2 - 222.222.222.126. The clients all run Windows NT 4.0, Windows 2000, or Windows XP. As I've currently configured the system, I have two problems: (1) some users from outside report that the webserver is not accessible; connection attempts throw up DNS errors. I have no rejected packets for port 80 in the firewall log, and am therefore inclined to think that the problem is not with the server or firewall configuration. From within the university network, I have no problems connecting to the server on port 80. Could it be that it just takes some time until the DNS information for the server spreads around, or does this entail that there's something wrong with the DNS entry for the server? (2) the samba fileshares can't be accessed. Actually, there's only one fileshare. Only one particular username is accepted as valid, and the samba clients must belong to the IP block 222.222.222.xxx/25. The firewall configuration file currently looks as follows: FW_QUICKMODE="no" FW_DEV_EXT="eth0" FW_DEV_INT="" FW_MASQUERADE="no" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="www ssh 139 137 138 445" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="222.222.222.0/25,tcp,137 222.222.222.0/25,tcp,138 222.222.222.0/25,tcp,139 222.222.222.0/25,tcp,445 222.222.222.0/25,udp,137 222.222.222.0/25,udp,138 222.222.222.0/25,udp,139" FW_ALLOW_INCOMING_HIGHPORTS_TCP="dns" FW_ALLOW_INCOMING_HIGHPORTS_UDP="dns" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_SAMBA="yes" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_KERNEL_SECURITY="yes" FW_ALLOW_PING_FW="no" FW_ALLOW_PING_EXT="no" My idea was to define the ip block of the samba clients as a "trusted net", and to only open the required tcp/udp ports, which are (I believe) 137-139 and 445. I'm not sure whether my syntax for FW_TRUSTED_NETS is correct. But would the general approach be ok? And are there any other non-sensical or counterproductive settings? Thanks a lot; I'm very new at this (as one might perhaps have gathered from the configuration ...), best regards, Birgit Kellner