Hi, having a problem and hope someone can help ... All IPs are just examples Having a Server (Host) (IP: 1.2.3.4/24, GW 1.2.3.254) on which I use KVM i.c.w libvirt. So far everything is working ... The physical interface 'eth0' is bound to 'br0'. Now I have a VM, which also has an 'official IP' (e.g. 5.6.7.8/32, GW: 1.2.3.254). The VM has an 'allowed' MAC, for using in 'bridged' mode ... so far everything works, from outside. I am able to ping VM (5.6.7.8) from outside. SuSEfirewall2 is active on Host, on VM not yet ... finally I am not able to ping to outside on VM. If firewall on 'Host' is OFF and I start pinging on VM to outside, the ping works ... Even if I start the firewall on 'Host' the ping continues. But if I stop ping and start again the ping does not work anymore Sadly there are no DROPS in the LOG. It also does not matter if FW_FORWARD_ALLOW_BRIDGING is ON or OFF ... I tried to experiment a bit (added new vars ... functions) FW_FORWARD_EXT_TO_BRIDGED_VM="yes" FW_DEV_EXT_PHYS="eth0" FW_DEV_VM_PHYS="fw0" allow_ext_to_bridge() { local iptables case "${FW_FORWARD_EXT_TO_BRIDGED_VM}" in yes) ;; no) return ;; esac for iptables in "$IPTABLES" "$IP6TABLES"; do $iptables -A FORWARD -m physdev --physdev-in "${FW_DEV_EXT_PHYS}" --physdev-out "${FW_DEV_VM_PHYS}" -j ACCEPT $iptables -A FORWARD -m physdev --physdev-in "${FW_DEV_VM_PHYS}" --physdev-out "${FW_DEV_EXT_PHYS}" -j ACCEPT done } an iptables.save will show my stuff like the following ---snip--- -A INPUT -j DROP -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -m physdev --physdev-in eth0 --physdev-out fw0 -j ACCEPT -A FORWARD -m physdev --physdev-in fw0 --physdev-out eth0 -j ACCEPT -A FORWARD -i br0 -j forward_ext ---snip--- hopefully someone can push me into the right direction ... Thank you -- Christian ---------------------------------------------------- - Please do not 'CC' me on list mails. Just reply to the list :) ---------------------------------------------------- Der ultimative shop für Sportbekleidung und Zubehör http://www.sc24.de ---------------------------------------------------- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org