...

All works fine. But now i want to add a second Server (Mail) to the DMZ. I added the appropriate entry to the FW-FORWARD-Parameter. I can ping the two Servers from the firewall succesful. This means, you can the both IPs on 192.168.70.0 But from an inner-LAN-Client i can only reach the Webserver, but not the Mailserver. Neither a ping works still a telnet to the SMTP-Port. The Firewall-Logs relative to DENYs or so what is empty. If I understand it correct: You allow ping. So you can ping your Webserver 192.168.70.10, but not your mail-Server 192.168.70.1?.

Yes, that's right.

...

But why? When i add the Mailserver to the "FW_FORWARD_MASQ"-Parameter, i can reach the Box from the internet without problems. If you can reach your mail server if it's MASQ, your will masq the IP and the firewall May be, your default router is wrong. It must be the IP of NIC of firewall which belongs to DMZ. Try a traceroute from your mail server into your internal network to prove this.

Thank you for the thoughts. In the meantime a found the error. I tried to ping the to Boxes in the DMZ successively. On the Firewall i sniffed the packets with tcpdump. So i saw, that the "echo reply" from the Mailserver not came back. Concluding to this the solution is, that the Mailserver can't reach the Clients because no routing entry to the Client-Subnet was registered. I did that and all works fine. The pings came back... Thank you for your help. Michael