I'm trying to use the SUSe packet filter to set up simple firewall masquerading - am getting somewhat confused about what it is doing. Using SUSe 6.4, kernel 2.2.16..... The masquerading part seems to be working, it's just the firewall seems to block packets for no reason. At the offset, when Linux boots up, the last thing displayed is: Warning: interface ppp0 is faulty. Ignore if it's not active yet (eg [i]pp0) /sbin/ipchains: invalid mask '60' specified. This last "invalid mask '60' specified" message repeats 5 times. Locally, I have ip addr: 192.168.0.1, DNS (locally) and DHCP servers running, a windows box on 192.168.0.2. All the external IP information is assigned automatically - IP, DNS, gateway etc. here's the basics of the script: FW_DEV_WORLD="ppp0" FW_DEV_INT="eth0" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.0.0/60" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_GLOBAL_SERVICES="no" # "yes" is a good choice FW_SERVICES_EXTERNAL_TCP="domain" FW_SERVICES_EXTERNAL_UDP="domain" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_DNS="yes" # if yes, FW_TCP_SERVICES_* needs to have port 53 # (or "domain") set to allow incoming queries. # also FW_ALLOW_INCOMING_HIGHPORTS_UDP needs to be "yes" FW_SERVICE_DHCLIENT="yes" # if you use dhclient to get an ip address # you have to set this to "yes" ! FW_SERVICE_DHCPD="yes" # set to yes, if this server is a DHCP server FW_FORWARD_TCP="" # Beware to use this! FW_FORWARD_UDP="" # Beware to use this! FW_ALLOW_PING_FW="yes" FW_ALLOW_FW_TRACEROUTE="yes" Now, running from the local Linux box, when connected, trying something like "ping www.yahoo.co.uk" I get denies of my ISP's DNS servers: Aug 19 09:57:45 fridge pppd[591]: local IP address 212.126.132.2 Aug 19 09:57:45 fridge pppd[591]: remote IP address 195.8.83.22 Aug 19 09:57:45 fridge pppd[591]: primary DNS address 195.8.69.9 Aug 19 09:57:45 fridge pppd[591]: secondary DNS address 195.8.69.7 [...] Aug 19 10:00:10 fridge kernel: Packet log: input DENY ppp0 PROTO=17 195.8.69.9:53 212.126.132.2:1026 L=198 S=0x00 I=28179 F=0x0000 T=62 (#29) Resorting to IP address only, I get denies on the ping data. However, if I now try this on my Win95 box across the internal net, it can do the DNS resolution okay, I then get denies on the ping data(?): Aug 19 09:58:22 fridge named[284]: ns_forw: query(www.yahoo.co.uk) NS points to CNAME (ns.europe.yahoo.com:) Aug 19 09:58:51 fridge kernel: Packet log: forward DENY ppp0 PROTO=6 192.168.0.2:1073 212.126.144.27:3128 L=64 S=0xC0 I=24072 F=0x4000 T=127 SYN (#1) -- == jon bird - software engineer == == == posted as: news@onastick.clara.co.uk == email: jon@onasticksoftware.co.uk == web: www.onasticksoftware.co.uk -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq