hi i have a suse 7.2 with firewall 2 v1.7 and freeswan on it 2 network interfaces one is a privat net the other internet i want a samba on the firewall who is only accessable from the privat net (duuh) ok so on ipsec tunnels between 10.1.0.0/16 (office) and 10.5.0.0/16 (remote office 3 user) trusted net is 10.1.0.0/16 i get always this message without firewall all works perfect ... but without firewall! 10.1.10.23 is an w2k who wants to 10.5.9.104 who ist the samba on firewall Oct 15 13:58:19 salzburgtunnel kernel: SuSE-FW-UNALLOWED-TARGETIN=ipsec0 OUT= MA C=00:02:b3:1a:63:df:00:02:b3:2c:6c:16:08:00 SRC=10.1.10.23 DST=10.5.9.104 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=25021 PROTO=TCP SPT=1523 DPT=445 WINDOW=16384 RES =0x00 SYN URGP=0 OPT (020405B401010402) Oct 15 13:58:25 salzburgtunnel kernel: SuSE-FW-UNALLOWED-TARGETIN=ipsec0 OUT= MA C=00:02:b3:1a:63:df:00:02:b3:2c:6c:16:08:00 SRC=10.1.10.23 DST=10.5.9.104 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=25023 PROTO=TCP SPT=1524 DPT=139 WINDOW=16384 RES =0x00 SYN URGP=0 OPT (020405B401010402) Oct 15 13:58:25 salzburgtunnel kernel: SuSE-FW-UNALLOWED-TARGETIN=ipsec0 OUT= MA C=00:02:b3:1a:63:df:00:02:b3:2c:6c:16:08:00 SRC=10.1.10.23 DST=10.5.9.104 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=25024 PROTO=TCP SPT=1523 DPT=445 WINDOW=16384 RES =0x00 SYN URGP=0 OPT (020405B401010402) FW_DEV_EXT="eth1 ipsec0" FW_DEV_INT="eth0" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="eth1" FW_MASQ_NETS="10.5.0.0/16" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="no" FW_SERVICES_EXT_TCP="22 500 123" FW_SERVICES_EXT_UDP="22 500 123" FW_SERVICES_EXT_IP="50 51" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="1:65535" FW_SERVICES_INT_UDP="1:65535" FW_SERVICES_INT_IP="50 51" FW_TRUSTED_NETS="10.1.0.0/16" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="no" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="yes" FW_FORWARD="10.5.0.0/16,10.1.0.0/16 10.1.0.0/16,10.5.0.0/16" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="yes" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_PING_EXT="yes" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="yes" #FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config" /"\ ,,, \ / ASCII Ribbon Campain /'^'\ X Against HTML Mail ( o o ) / \ oOOO--(_)--OOOo---------------------- Very funny Scotty. And now beam down my clothes. Mit Freundlichen Grüssen/Best Regards proTask Consulting mailto:markus.battisti@protask.cc