Hello I am pulling my hair out over Xen and SuSEfirewall. After messing around with things in xen, I discovered that rather than a misconfiguration, SuSEfirewall was causing a "dead" network. Looking in the docs, it says: "If you use SUSEfirewall2, you'll probably want to add xenbr0, peth0, vif0.0 and the vifX.1 [X in 1 ... N] to the list of interfaces; as eth0 is on there, you'll probably want to add xenbr0 to the same class as eth0. You also need to enable forwarding (FW_FORWARD="yes") and allow forwarding of packets from xenbr0, vif0.0 and vifX.1, possibly by inserting a custom rule into the forward_XXX chain. For testing it's easiest to disable SuSEfirewall2, make sure that iptables -P FORWARD ACCEPT is set." I cannot really tell what this means, and what I should do about it. I have added the interfaces to INTERNAL and set FW_FORWARD="yes". This seems to conflict with the comments in the SuSEfirewall config file, which seem to expect [sourcenet],[destnet]). I have no idea how to allow forwarding from the different interfaces, can anyone help? It is a strange way that the interfaces are set up, from the docs again: "When using bridging, in domain0, the eth0 device will be renamed to peth0 and its MAC addr be set to fe:ff:ff:ff:ff:ff and ARP disabled. veth0 will take over the old MAC address, be renamed to eth0 and be enabled (ifup'ed). vif0.0 and peth0 are then enslaved to xenbr0. veth0 is connected to vif0.0 behind the scenes, that's why it works." I can get a dhcp address with the firewall up, but cannot ping or query dns. With the firewall down, everything works fine. Any suggestions welcome! Thanks, H