Hello List. This is my first posting, so please bear with me. I'm playing with SuSEfirewall2 on SUSE 9.2 trying to build a screened subnet FW. Here's my test setup: +----------+ |"Internet"| +----------+ | wlan0 | (192.168.1.1) | +----------------+ +----------------+ +--------+ |exterior router |-----+---- |interiror router| --- |intranet| +----------------+ | +----------------+ +--------+ eth0 (10.0.0.1) | | | eth0 (10.0.0.2) +----------+ |DMZ server| +----------+ Right now I'm trying to configure the exterior router. To enable HTTP and SSH on the DMZ server I configured the SuSEfirewall2 script as follows: FW_DEV_EXT="wlan-bus-pcmcia" FW_DEV_DMZ="eth-id-00:50:04:d2:71:9e" FW_ROUTE="yes" FW_FORWARD="0/0,10.0.0.2,tcp,80 0/0,10.0.0.2,tcp,22" the rest is more or less standard settings (attached at the end of this email) Now, when I try to connect to the webserver from the internet I can see the packets with tcpdump at the DMZ server, however, the return packets get blocked by SuSEfirewall2 with the log entry: Feb 24 13:19:10 linux kernel: SFW2-FWDdmz-DROP-DEFLT IN=eth0 OUT=wlan0 SRC=10.0.0.2 DST=192.168.1.2 LEN=60 TOS=0x08 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=33012 WINDOW=5792 RES=0x00 ACK SYN URGP=0 OPT (020405B40402080A0456274F008ADDF901030302 and these packets should be bloked because the relevant iptables-rules generated by SuSEfirewall2 are: -A forward_dmz -d 10.0.0.2 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 80 -j ACCEPT -A forward_dmz -j LOG --log-prefix "SFW2-FWDdmz-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_dmz -j DROP If I understand the first rule correctly, only packets with the destination IP 10.0.0.2 will match. All the rest gets blocked with the Log message. All the tutorials and FAQs I read so far never said anything about configuring the reverse path also. I mean I could simply include 10.0.0.2,0/0 in FW_FORWARD, but if someone hacked my DMZ server he automatically has access to everywhere. So is this me just being stupid or is SuSEfirewall2 not doing what it should be doing? Is there a better way to enable just the response traffic from the DMZ server than including the reverse path? Greetings Stefan ---- full SuSEfirewall2 configuration --- $ cat /etc/sysconfig/SuSEfirewall2 | grep -e "FW_" | grep -v "#" FW_QUICKMODE="no" FW_DEV_EXT="wlan-bus-pcmcia" FW_DEV_INT="" FW_DEV_DMZ="eth-id-00:50:04:d2:71:9e" FW_ROUTE="yes" FW_MASQUERADE="no" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="no" FW_SERVICES_*_TCP="" FW_SERVICES_*_UDP="" FW_SERVICES_DROP_EXT="" FW_SERVICES_REJECT_EXT="0/0,tcp,113" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="" FW_ALLOW_INCOMING_HIGHPORTS_UDP="" FW_FORWARD="0/0,10.0.0.2,tcp,80 0/0,10.0.0.2,tcp,22" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG_LIMIT="no" FW_LOG="" FW_KERNEL_SECURITY="yes" FW_ANTISPOOF="no" FW_STOP_KEEP_ROUTING_STATE="yes" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_PING_EXT="yes" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="int" FW_IGNORE_FW_BROADCAST="no" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV="" FW_IPv6="" FW_IPv6_REJECT_OUTGOING="yes" FW_IPSEC_TRUST="no"