I've been struggling for several days trying to set up Firewall 3.3 despite having closely studied the provided scripts, examples and FAQ. The system configuration is: -- eth0 192.168.1.1 -- net 192.168.1.0/24 (internal) ppp0 --| -- eth1 192.168.2.1 -- webserver 192.168.2.3 (DMZ) [this is really only a reduced subset of example 5 in the documentation] Despite setting: FW_FORWARD_MASQ_TCP="0/0,192.168.2.3,80" packets from ppp0 and eth0 are being blocked from reaching 192.168.2.3 The only way I have been able to get the internal network to see the webserver is to open up a connection using FW_FORWARD_IP="192.168.1.0/24,192.168.2.3,tcp" and removing the entries for FW_FORWARD_MASQ_TCP (because if they are left in packets are blocked) and, of course, external connections are not possible. So the question is; is it possible to set up both external and internal connections to the webserver I'm sure that I'm missing something simple but sadly I haven't been able to see it! All help gratefully accepted. David