...

the INTERNAL interface has a private ip address (192.168.x.x). i am talking about the EXTERNAL and the DMZ interface !!

i want to do that, because they've got only 8 public ip-addresse (so 6 actually)

So use 10.0.0.1 on the DMZ interface. as long as no-one on the INTERNET needs to talk directly to that interface it'll work fine. I.e. a traceroute would show

1.2.3.4 (your isp's router) 5.6.7.8 (external ip on your firewall) * * * (can't talk to him....) 5.6.7.9 (IP of your server on the DMZ).

See?

-Kurt

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

If you do not have enough IP numbers consider port forwarding. E. g., everything that comes in on your firewalls external ip address on port 80 is forwarded to the http-server/proxy in the dmz. In such a setup, the dmz host can have a private address and reside in a private network. With such a setup you can provide a complete internet service (web, email, dns etc.) on just one IP number (if you do not have several hosts for the same service - e. g. http/80 on host1 and host2). --emmerich