* Kurt Minder;
Hi
Ok. I understand. What you let in from any (EXT, INT)interface may should access to the DMZ In my case it doesn't, nor the DMZ can access the services opened in the SERVICES_DMZ
No FW_SERVICES_DMZ_* means the services defined on these parameters are allowed to use the firewall For example FW_SERVICES_DMZ_UDP="syslog" means DMZ is allowed to send syslog packets to the Firewall since Firewall is the Sylog server. It does not mean open the UDP port 514 in the DMZ (would be dangerous if you do so)
So i'm back on the solution to use FW_FORWARD. Is this normal? or is it a conflict in the configuration? Obviously the DMZ rules are never applied because the packages ar dropped before.
You can use FW_FORWARD as long as the machine that you are forwarding has a Public IP , if you are using Private IP then you should be using FW_FORWARD_MASQ
Togan wrote: I would say wide open by defining TCP/UDP/IGMP you rare limiting the protocols that are allowed when you add the port number than only the protocol along with the matching port is allowed.
I agree with you. For the MASQ_NETS (restrict access from INT to EXT) section it works like this, but when i use this in the TRUSTED_NETS section it won't. I configured the whole INT and DMZ as trusted net (FW_TRUSTED_NETS="192.168.0.0/16"), i know bad idea. But everthing is dropped or denied.
DMZ is the sacrificed goat it can not be trusted, -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx