Hello all, SuSE firewall2 on SuSE 7.3 with external, internal and DMZ-interface EXT: statical (official) IP-Address (a.b.c.d) DMZ: statical (official) IP-Address (w.x.y.z) with the appropriate subnet attached to it INT: 192.168.1.1 (masqueraded on DEV_EXT) Almost everything is working: routing between the subnets as far as allowed in FW_FORWARD and FW_FORWARD_MASQ is working properly (almost too good) masquerading is working as well as squid in transparent mode now I have two problems with using the rules for the DMZ: I'd like to allow the machines in the DMZ unrestricted access (for beginning) to the internet (in front of EXT). For that reason I put the following rules in FW_FORWARD: "DMZ-net,0/0 0/0,DMZ-net" #DMZ-net is of course written as w.x.y.0/24 well, everything works now for the DMZ, but the DMZ can also reach the internal hosts (192.168.1.0/24) directly and thats absolutely not what I want. Does anybody know how I could prevent this? the second problem is that I'd like to access the DMZ from the internal network but without allowing the DMZ to connect to the internal LAN. How can I tell the firewall to allow only connections from the DMZ to the INT that have been initiated from internal? In the DMZ all internal machines appear with their proper IPs (e.g. 192.168.1.50). Is this a question of FW_MASQ_DEV? probably the two problems are of the same kind and perhaps I could do this in firewall2-custom.rc.config? But because I'm rather a beginner, I don't want to do something very stupid that would open my firewall. If anybody has any advice or experience on this topic, please let me know. any help very welcome, Andreas slightly censored firewall2.rc.config: FW_DEV_EXT="eth1" FW_DEV_INT="eth0" FW_DEV_DMZ="eth2" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.0.0/16" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="ssh domain" FW_SERVICES_EXT_UDP="domain" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="domain ssh 3128" FW_SERVICES_DMZ_UDP="domain" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="ssh domain 3128" FW_SERVICES_INT_UDP="domain" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="yes" FW_SERVICE_SAMBA="no" FW_FORWARD="192.168.1.0/24,DMZ" FW_FORWARD_MASQ="" FW_REDIRECT="192.168.100.0/24,0/0,tcp,80,3128" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_PING_EXT="yes" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no"