Running SuSE 9.0 Pro. O.K. I'm about to give up. I've been messing with the setup for SuSEfirewall2 which is apparently a niced up front end to IPTABLES. I'm trying to get a DMZ up so when I have to fix something on our renderfarm at 3 AM I can do it from home through ssh. currently the firewall works with 2 NICs dividing my local net from the big bad ugly WWW. it is functioning properly and dropping everything that it should. now on to the DMZ. I've read a ton of stuff on how to set up internal DMZ's through FW_FORWARD_MASQ="0/0,10.0.1.2,tcp,80" which looks like it Masquerades and uses an inside IP on a third NIC that's not a "real world" IP. I can't get that working in any way. Then there's the preferred method of having a second, ISP issued "real world" IP, on the DMZ and It again resides on the third NIC but there is no masquerading and it looks like and it uses FW_FORWARD="127.0.0.1,127.0.0.2,tcp,1". The forelisted FW lines are straight out of the EXAMPLE included with SuSE so they really don't apply to my network directly. let me sum up what I have and maybe somebody can point me in the right direction. Firewall box: FW_DEV_INT="eth0" FW_DEV_EXT="eth1" FW_DEV_DMZ="eth2" the external has my first ISP assigned IP. the internal is the generic 192.168.2.0 network. what I'm not sure of is what IP needs to be on eth2 real or masq'd and any custom routing. I've tried everything I can think of. including a same and different internal IP, another of my real world IP's you name it. routes?? and maybe howto?? DMZ box eth0 tried internal IP, real world IP......all in pairs because AFAIK if the subnet isn't the same and the networks are different they wont ping. the only life out there I get is when I use and internal IP like 192.168.0.1 on eth2 for the firewall and 192.168.0.2 on the DMZ. then I can ping from firewall to DMZ and vice versa. but when I go from there to try and use the FW_FORWARD_MASQ, I still can't get in from home on the outside. the only reason I'm pursuing the masq setup is I can't get anything else to ping. I'd prefer to do it the other way but it's not getting anywhere. so here's the snip from the masq field: # Which services accessed from the internet should be allowed to masqueraded # servers (on the internal network or dmz)? # REQUIRES: FW_ROUTE # # With this option you may allow access to e.g. your mailserver. The # machines must be in a masqueraded segment and may not have public IP addesses! # Hint: if FW_DEV_MASQ is set to the external interface you have to set # FW_FORWARD from internal to DMZ for the service as well to allow access # from internal! # # Please note that this should *not* be used for security reasons! You are # opening a hole to your precious internal network. If e.g. the webserver there # is compromised - your full internal network is compromised!! # # Choice: leave empty (good choice!) or use the following explained syntax # of forward masquerade rules, seperated each by a space. # A forward masquerade rule consists of 1) source IP/net, 2) destination IP # (dmz/intern), 3) a protocol (tcp/udp only!) and 4) destination port, # seperated by a comma (","), e.g. "4.0.0.0/8,1.1.1.1,tcp,80" # Optional is a port after the destination port, to redirect the request to # a different destination port on the destination IP, e.g. # "4.0.0.0/8,1.1.1.1,tcp,80,81" # FW_FORWARD_MASQ="0/0,10.0.1.2,tcp,80" # Beware to use this! Any help would be appreciated. I'm feeling beat up by what should be so simple... :^( Mike