Hello, on SUSE-LINUX 7.0, kernel 2.2.16, I've installed the firewall in the sense of a packet-filter (no proxies, no DMZ, no masquerading). From an firewall-external host (192.168.0.3), I tried to establish a connection (ssh, ping or http with our internal webserver (xx.yy.zz.15)) but have failures. The network topology is: external firewall firewall internal argos eth1 eth0 webserver 192.168.0.3 192.168.0.2 xx.yy.zz.42 xx.yy.zz.15 In the case of trying to connect from the external web client our Webserver http://xx.yy.zz.15, the var/log/firewall-file on the firewall host notices: kernel: Packet log: forward ACCEPT eth0 PROTO=6 192.168.0.3:36341 xx.yy.zz.15:80 With ethereal, I've logged on the internal interface (eth0) of the dual-homed firewall-host the message: Source Destination Protocol Info argosxx.yy.zz.42 xx.yy.zz.15 TCP Source Port 36345 > Dest. Port http (80) So I conclude, that my web request toward my webserver is handled correctly. But with ethereal on the webserver interface, I cannot receive the request message (going to port 80 http). After the web client request was timed out, the message on the web client host (argos) sends "unable to connect to server". The firewall.rc.config file looks like: # 2.) FW_DEV_WORLD="eth1" FW_DEV_WORLD_eth1="192.168.0.2 255.255.255.0" # 3.) FW_DEV_INT="eth0" FW_DEV_INT_eth0="xx.yy.zz.42 255.255.255.0" # 4.) FW_DEV_DMZ="" # 5.) FW_ROUTE="yes" # 6.) FW_MASQUERADE="no" FW_MASQ_NETS="" FW_MASQ_DEV="$FW_DEV_WORLD" # e.g. "ippp0" or "$FW_DEV_WORLD" # 7.) FW_PROTECT_FROM_INTERNAL="no" # -> NIS ypbind # 8.) FW_AUTOPROTECT_GLOBAL_SERVICES="no" # "yes" is a good choice # 9.) FW_SERVICES_EXTERNAL_TCP="0:65535" # for trial FW_SERVICES_EXTERNAL_UDP="0:65535" # for trial FW_SERVICES_INTERNAL_TCP="0:65535" # for trial FW_SERVICES_INTERNAL_UDP="0:65535" # for trial # 10.) FW_TRUSTED_NETS="192.168.0.0 xx.yy.zz.0/24" FW_SERVICES_TRUSTED_TCP="ssh 8 80 443" # Common: ssh FW_SERVICES_TRUSTED_UDP="8" # Common: syslog time ntp # 11.) FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" # Common: "ftp-data" (sadly!) FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" # Common: "dns" # 12.) FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SAMBA="no" # 13.) FW_FORWARD_TCP="" # Beware to use this! FW_FORWARD_TCP="192.168.0.3/24,xx.yy.zz.15,80 192.168.0.3/24,xx.yy.zz.4,22" FW_FORWARD_UDP="" # Beware to use this! # 14.) FW_FORWARD_MASQ_TCP="" # Beware to use this! FW_FORWARD_MASQ_UDP="" # Beware to use this! # 15.) FW_REDIRECT_TCP="" FW_REDIRECT_UDP="" # 16.) FW_LOG_DENY_CRIT="yes" FW_LOG_DENY_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" # normally no # 17.) FW_KERNEL_SECURITY="no" # 18.) FW_STOP_KEEP_ROUTING_STATE="no" # 19.) FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" # 20.) FW_ALLOW_FW_TRACEROUTE="no" # 21.) FW_ALLOW_FW_SOURCEQUENCH="yes" # 22.) FW_MASQ_MODULES="autofw cuseeme ftp irc mfw portfw quake raudio user vdolive" So, if anyone has a solution to get a connection established, let me know it. Thanks Jürgen Foag -- _____________________________________________________________________ Telefon: +49 (0) 89 / 289 - 25290 Fax: +49 (0) 89 / 289 - 28323 Technische Universität München - Lehrstuhl f. Integrierte Schaltungen Arcisstrasse 21 - 80290 München - Deutschland / Germany E-Mail: Juergen.Foag@ei.tum.de Homepage: http://www.lis.e-technik.tu-muenchen.de/people/jf.html _____________________________________________________________________ If everything you try works, you are not trying hard enough ! (Gordon Moore) _____________________________________________________________________