I am at my wits end with this problem. Server in dmz, internal net, http, https, ssh, imap, etc on server accessible from the outside. The internal net should have access to the same services on the server as are available from the outside. Problems: ntpdate -q outside does not work on server, dito on firewall. reaching http://outside from server doesn't work. From outside, imap and 7777 are not reachable on server, although http https are reachable and imap and 7777 are configured identically. The internal net can't reach the server (yes I use FW_FORWARD). SuSE 8.0 with all updates current as of yesterday. I tried the same setup on 2 different machines so it's not the hardware (unless realtek 8139 net cards go dead on some ports only, not likely). FW_DEV_EXT="eth2" FW_DEV_INT="eth0" FW_DEV_DMZ="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.2.0/24 192.168.1.0/24" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="domain" FW_SERVICES_EXT_UDP="domain ntp" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="domain ssh" FW_SERVICES_DMZ_UDP="domain" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="domain ssh" FW_SERVICES_INT_UDP="domain" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="no" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD=" 192.168.2.0/24,192.168.1.1,tcp,80 192.168.2.0/24,192.168.1.1,tcp,443 192.168.2.0/24,192.168.1.1,tcp,143 192.168.2.0/24,192.168.1.1,tcp,25 192.168.2.0/24,192.168.1.1,tcp,22 192.168.2.0/24,192.168.1.1,tcp,7777 192.168.2.0/24,192.168.1.1,udp,123 " FW_FORWARD_MASQ=" 0/0,192.168.1.1,tcp,80 0/0,192.168.1.1,tcp,443 0/0,192.168.1.1,tcp,143 0/0,192.168.1.1,tcp,25 0/0,192.168.1.1,tcp,22 0/0,192.168.1.1,tcp,7777 " FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_PING_EXT="yes" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" On a SuSE 7.3 box with iptables, kernel, SuSEfirewall2 packages from SuSE 8.0 an essentially identical setup works as expected (there's no DNS server on that box). Ideas are very much appreciated. Thanks in advance, Volker If you don't want to reply to the list change my email address to list0570 at (sorry). -- Volker Kuhlmann is possibly list0570 with the domain in header http://volker.orcon.net.nz/ Please do not CC list postings to me.