togan, if you add the two dns forwarders to FW_TRUSTED_NETS in 10.) and add 'domain' to both FW_SERVICES_TRUSTED_???, i think that should cut it. i don't know SuSEfirewall. seems like a fancy interface to ipchains. somehow i like using the latter better though since it is more flexible. i don't know for instance how to prevent the dns forwarders having privileged ssh access while allowing it to 127.0.0.0/8 and vice versa. martin ### from fw.config
10.) # Which services should be accessible from trusted hosts/nets on the internet? # # Define trusted networks on the internet, and the TCP and/or UDP services # they are allowed to use. # # Choice: leave FW_TRUSTED_NETS empty or any number of computers and/or # networks, seperated by a space. e.g. "172.20.1.1", "172.20.0.0/16" # FW_TRUSTED_NETS="127.0.0.1 127.0.0.2 " # # leave FW_SERVICES_TRUSTED_* empty or any number of ports, known portnames # (from /etc/services) and port ranges seperated by a space. # e.g. "25", "ssh", "1:65535", "1 3:5" # FW_SERVICES_TRUSTED_TCP="ssh 53" FW_SERVICES_TRUSTED_UDP="syslog time 4000" # Common: syslog time ntp
madduck@madduck.net (greetings from the heart of the sun)