The SuSEfirewall2 v1.6 is quite good! I found the thing. My internal net is 192.175.233.0/24 my external net is 192.175.233.0/30 (a two bit subnet with only the router and my firewall in it). There are rules to prevent boxes from extenal to be routed to internal if they have an internal address. Unfortunally 192.175.233.0/24 (my internal net) includes 192.175.233.0/30 (my extenal net). So my router cannot communicate with internal boxes. This is not as bad as it seems to because all packets which are forwarded from outside are not rejected by the ANTI-SPOOF rule (but it is most likely that they are rejected by other rules ;-)) For configuration purposes I simply delete the two DROP rules and the two LOG rules from input_ext chain (and may be from forward_ext chain if I want forwarding to my router). Steffen Schoch and Martin Haas antworteten (answered)
...
"Burghard W.V. Britzke" wrote:
hello, I have problems to contact my firewall from outside. Our uunet router is capable to contact our firewall and some of the services provided internally from outside. but when I plug a local pc with the same IP address to the FW_DEV_EXT network and try to connect to smtp (for example) I get SuSE-FW-DROP-ANTI-SPOOF IN=eth0 OUT= MAC=... SRC=<router> DST=<firewall> LEN=48 TOS=0x0 0 PREC=0x00 TTL=128 ID=546 DF PROTO=TCP SPT=1043 DPT=25 WINDOW=16384 RES=0x00 SY N URGP=0 OPT (020405B401010402)
again: the uunet router is capable to send mails via smtp port and I do not get the above error message. Why do I get those messages?