I use SuSE 7.3 Prof with the latest SuSEfirewall2 from Marc Heuse. I have three Nic in the Bastion Host (one for internet with official assigned IP-Address, one for the DMZ (192.168.5.0/24) and one to the second firewall-System (192.168.1.0/24)). The second Firewall-System connect to the internal LAN. At the time, thats not for interest. On the Bastion-Host (no proxies, no services), I want to give access from the internet to the Web-Server in the DMZ (Port 80 and 443). I have read all the Documentation, Faqs, Examples and so on, but I think I make mistakes in firewall2.rc.config and can't find them, because there is no access from the Internet to the Web-Server possible. It is possible to get access from the Bastion-Host to the Web-Server. The Logs tells me, that the Firewall make an 'SuSE-FW-ACCEPT-REVERSE_MASQ' from the internet-interface to the DMZ-interface on the wright ports (client initiate >1024 to Server-Destination 80 or 443), but that's all. Nothing happens, no answer, no packets on the NIC of the Web-Server:-(. My Internet-connection looks like: Internet | +--eth2--------+ | Bastion Host | | |-- eth1/DMZ --- Web-Server +--eth0--------+ | +--------------+ | Firewall to | | internal LAN | | with proxies | +--------------+ | internal LAN The Masquerading/NAT is on eth2 active eth1 is on net 192.168.5.0 (192.168.5.2) eth0 is on net 192.168.1.0 (192.168.1.1) The Web-Server is on net 192.168.5.0 (192.168.5.1), no IP-Forwarding There is no access from internet to the DMZ Web-Server possible. The rest works fine (LAN - Internet). I want to create access from the internal lan to the Web-Server too. But at the time, thats not for interest, because the other side won't work. Here is the relevant extract from my configuration via firewall2.rc.config: <--- Snip # 2.) FW_DEV_EXT="eth2" # 3.) FW_DEV_INT="eth0" # 4.) FW_DEV_DMZ="eth1" # 5.) FW_ROUTE="yes" # 6.) FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.1.0/24,0/0,tcp,80 192.168.1.0/24,0/0,tcp,443 192.168.1.0/24,0/0,tcp,21 192.168.1.0/24,0/0,tcp,10021 192.168.1.0/24,0/0,tcp,53 192.168.1.0/24,0/0,udp,53" # 7.) FW_PROTECT_FROM_INTERNAL="yes" # 8.) FW_AUTOPROTECT_SERVICES="yes" # 9.) FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" # Common: domain FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" # 10.) FW_TRUSTED_NETS="" # 11.) FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" # 12.) FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when starting FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" # 13.) FW_FORWARD="" # Beware to use this! # 14.) FW_FORWARD_MASQ="0/0,192.168.5.1,tcp,80 0/0,192.168.5.1,tcp,443" # 15.) FW_REDIRECT="" # 16.) FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" # 17.) FW_KERNEL_SECURITY="yes" # 18.) FW_STOP_KEEP_ROUTING_STATE="no" # 19.) FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_PING_EXT="no" # EXPERT OPTIONS - all others please don't change these! # # 20.) FW_ALLOW_FW_TRACEROUTE="yes" # 21.) FW_ALLOW_FW_SOURCEQUENCH="yes" # 22.) FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" # 23.) FW_ALLOW_CLASS_ROUTING="no" # 25.) #FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config" Snap ---> Can someone help me please? What's wrong? :-) Holger