Hi, I want to set up a firewall, which should only "protect" ONE MS-WWW-Server (that has no official IP). The server should not have ANY access to anything, the firewall should only offer a telnet from certain addresses (restricted by /etc/xinetd.conf). eth0 is the internet, the WWW-Server is connected to eth1 (the webserver has IP 192.168.0.2). Everytime, a request to port 80 of the firewall is done, it should be forwarded to the server, the answer should be sended back. I'm using SuSE 7.3 and SuSEfirewall2, my configuration file is: FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.0.2" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="telnet" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="no" FW_SERVICE_AUTODETECT="no" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SAMBA="no" FW_FORWARD="" FW_FORWARD_MASQ="0/0,192.168.0.2,tcp,80 0/0,192.168.0.2,tcp,443" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="yes" FW_ALLOW_PING_FW="no" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" Now the problem is: It only works, when FW_MASQ_NETS is set to "192.168.0.2", but then the server has access to the internet, which I wanted to avoid! If I don't set FW_MAS_NETS to the internal server IP, all http requests are logged as "... ALLOWED ... DST=192.168.0.2 ..." (seems o.k.!) in /var/log/firewall, but there is no response from the server. What can I do? Thank You, Marc