Where would you recommend I put the rule? The custom config file at /etc/sysconfig/scripts/SuSEfirewall-custom seems the most obvious place to me, but I cannot decide which section it best belongs in. Again, based on pure guesswork, my inlination is to put it in the fw_custom_before_masq() section, but my iptables experience is not what it could be (coming from ipfw on FreeBSD, a much simpler tool, but equally not as flexible). I have read such documentation as I can find about SuSEfirewall2 configuration, but it has not brought me any closer to making the decision! Any insight would be much appreciated.

edit (e.g. with mcedit or vi) your /etc/sysconfig/SuSEfirewall2 go to: # 15.) # Which accesses to services should be redirected to a localport on the # firewall machine? # # This can be used to force all internal users to surf via your squid proxy, # or transparently redirect incoming webtraffic to a secure webserver. # # Choice: leave empty or use the following explained syntax of redirecting # rules, seperated by a space. # A redirecting rule consists of 1) source IP/net, 2) destination IP/net, # 3) protocol (tcp or udp) 3) original destination port and 4) local port to # redirect the traffic to, seperated by a colon. e.g.: # "10.0.0.0/8,0/0,tcp,80,3128 0/0,172.20.1.1,tcp,80,8080" # Please note that as 2) destination, you may add '!' in front of the IP/net # to specify everything EXCEPT this IP/net. # MYNET="192.168.0.0/24" FW_REDIRECT="$MYNET,0/0,tcp,80,3128" Example, your net: full subnet: 192.168.0.0 - 192.168.0.255 = 192.168.0.0/24 or half subnet: 192.168.0.0 - 192.168.0.127 = 192.168.0.0/25 or greater address range: 192.168.0.0 - 192.168.255.255 = 192.168.0.0/16 The number after the / can be calculated by following: 32 - <bitlength of address range>, e.g.: 0 - 255 = 256 = 8 bit => 24 Proxy runs on 3128 on firewall Traffic from lan get's redirected to 3128 local on firewall and then runs as transparent proxy. Philippe