Hi everybody, first of all i am new here ( and new 2 iptables ) , so greetings to all. ( and sorry for my bad english ) I am using SuSE 7.2 with SuSEFirewall2. All seems working well. WWW in/out , FTP in/out , masquarading etc.. Is there any kind of switching the firewall-configuration without editing the firewall2.rc.config ? I mean something like that firewall.sh www [start|stop] firewall.sh www ftp [start|stop] firewall.sh www ftp_behind_fw [start|stop] Under kernel 2.2.x with ipchains and ipmasqadm i have used scripts like that server.sh [start|stop] clientip to forward packets to a box behind the firewall. I changend the scripts to work with iptables, the box behind the firewall can be reached from the outside, but the firewall seems to bolck the answerpackets. tcpdump says something like (sorry , at the moment i don't have any logs, erased them :-( ) remoteip > localip (behind the fw) localip > remoteip : port can't be reached Here is templatescript where i can open/close ports with portforwarding : #!/bin/bash IPT="/usr/sbin/iptables" CLIENT=$2 DEV=ppp0 if [ $# -lt 2 ]; then echo "Client IP missing" exit 1 fi case $1 in start) # Some-Server $IPT -t nat -A PREROUTING -p udp -i $DEV --dport aaaaa:bbbbb -j DNAT --to $CLIENT ;; stop) $IPT -t nat -D PREROUTING -p udp -i $DEV --dport aaaa:bbbb -j DNAT --to $CLIENT ;; esac exit 0 the ipchains-script with ipmasqadm portfw/autofw under kernel 2.2.x is working. Ok , here some infos from the firewall2.rc.config FW_PROTECT_FROM_INTERNAL="yes" (all allowed ports can be reached) FW_AUTOPROTECT_SERVICES="yes" # FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" (ok , not good , only for testing) # FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" (ok , not good , only for testing) # FW_SERVICES_EXT_TCP="www" FW_SERVICES_EXT_UDP="www FW_SERVICES_EXT_IP="" # FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" # FW_SERVICES_INT_TCP="22 25 53 3128" FW_SERVICES_INT_UDP="22 53" FW_SERVICES_INT_IP="" # FW_KERNEL_SECURITY="yes" Thx for any hints and infos Greetings freddy