Hello all, I am in search of "desperately" for help with configuring my SuSEfirewall2 on 8.1 Pro and Squid with a few windows 2000 and Xp pro machines. present configuration SuSE 8.1 no DNS (ips provides dns), no DHCP server or clients, FTPd, SSH, http&https, in the future... SQUID and SAMBA I use a broadband connection -> Linksys BEFSX41 (vpn endpoint router which accepts its Wan IP via DHCP C.C.C.C/255.255.255.0, internal Static IP 10.x.x.A/255.255.255.0) -> Linux pro 8.1 [eth0 Static IP 10.x.x.B/255.255.255.0, eth1 Static IP 10.x.x.C/255.255.255.0] , Win Xp Pro Static IP 10.x.x.D/255.255.255.0, and Win2k Pro Static IP 10.x.x.E/255.255.255.0 It works fine and I use personal software firewalls for the Windows machines. My hopes are to set up the network like this..... Broadband connection -> Linksys BEFSX41 Wan DHCP, INT IP Static -> [Eth0] Linux Firewall-2 & Squid proxy [eth1] -> Hub {or better yet internal print server box w/hub in it} -> Windows machines with Static IPs. I have been reading the susefirewall2 examples and a great "unofficial faq" SuSE Firewall2 by Togan Muftoglu. First and foremost I am NEW to configuring firewalls. Second I should pick it up quickly if I can make heads or tails of what combination of rules to use together. Second I would like to just get the firewall up and running with windows clients connecting through it WITHOUT THE PROXY that I can work out later. 1.) FW_Quickmode_"no" 2.) FW_DEV_EXT="eth0" 3.) FW_DDEV_INT="eth1" 4.) FW_DEV_DMZ="" This is where I get a bit lost if I should or not set these switches/options 5.) FW_ROUTE="no" I should set this to YES until I get my proxy going? 6.) FW_MASQUERADE="no" I should set this to YES until I get my proxy going, then set it back to NO 6a.) FW_MASQ_DEV="eth0" or "$FW_DEV_EXT" 6b.) FW_MASQ_NETS="" This I want to restrict to only the services I use, WWW, FTP, SSH, SC, receive email via POP3, send email via SMTP, (a few games Starcraft, CounterStrike but these are to important) my internal IPs are 10.x.x.x/255.255.255.0, there are 3 machines, 2 workstations and 1 laptop. 7.) FW_PROTECT_FROM_INTERNAL="yes" Is this similar to FW_MASQ_NETS? 8.) FW_AUTOPROTECT_SERVICES="yes" So with this set to YES then I have to add the IP/net/protocol/port# and these need to be set in FW_SERVICES_EXT_TCP,UDP & FW_SERVICES_INT_TCP,UDP ? But that about an entry FW_SERVICE_*_TCP,UDP...? 9.) FW_SERVICES_EXT_TCP="www ssh" but what about SSL and FTP? 9.) FW_SERVICES_EXT_UDP="" 9.) FW_SERVICES_INT_TCP="" 9.) FW_SERVICES_INT_UDP="" 9a.) FW_SERVICES_QUICK_TCP="" 9a.) FW_SERVICES_QUICK_UDP="" 9a.) FW_SERVICES_QUICK_IP="" 10.) FW_TRUSTED_NETS="" 11.) FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" can I specify the port #s in here? 11.) FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" Is this required for DNS for the internal network machines? 12.) FW_SERVICE_AUTOPROTECT="yes" 12.) FW_SERVICE_DNS="no" 12.) FW_SERVICE_DHCLIENT='no" 12.) FW_SERVICE_DHCPD="no" 12.) FW_SERVICE_SQUID="no" Soon I hope to configure SQUID but I need to buy a book or read a lot more online. 12.) FW_SERVICE_SAMBA="no" 13.) FW_FORWARD="" 14.) FW_FORWARD_MASQ="" 15.) FW_REDIRECT="" This I should setup for SQUID? 10.x.x.x/y,0/0,tcp,80,3128 0/0, 10.x.x.a,tcp,80,8080 16.) FW_LOG_DROP_CRIT="yes" 16.) FW_LOG_DROP_ALL="no" 16.) FW_LOG_ACCEPT_CRIT=yes" 16.) FW_LOG_ACCEPT_ALL="no" 16.) FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" 17.) FW_KERNEL_SECURITY="yes" 18.) FW_STOP_KEEP_ROUTING_STATE="no" 19.) FW_ALLOW_PING_FW="yes" 19.) FW_ALLOW_PING_DMZ="no" 19.) FW_ALLOW_PING_EXT="no" 20.) FW_ALLOW_TRACEROUTE="no" 21.) FW_ALLOW_SOURCEQUELCH="yes" 22.) FW_ALLOW_FW_BROADCASTS="no" 22.) FW_IGNORE_FW_BROADCASTS="yes" 23.) FW_ALLOW_CLASS_ROUTING="no" 25.) FW_CUSTOMRULES="" 26.) FW_REJECT="no" So if anyone has some time to help me out I would be greatly appreciative and send you all the good karma I can muster :) If anyone can recommend any books that I should pick up that may help me understand these rules that would be great also. Sincerely, Ash