* Frédéric Poulet;
FW_MASQ_NETS="192.168.1.0/24 192.168.5.0/24"
This is good you can even say 192.168.0.0/16
# 9.) FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" # FW_SERVICES_DMZ_TCP="80" FW_SERVICES_DMZ_UDP="80" FW_SERVICES_DMZ_IP="80"
No leave these empty here is the reasoning # # 9.) # Which services ON THE FIREWALL should be accessible from either the # internet # (or other untrusted networks), the dmz or internal (trusted networks)? # (see no.13 & 14 if you want to route traffic through the firewall) XXX Meaning If you want to have access to your FIREWALL from the DMZ then enter the services when you say 80 here you are saying I have a wervice availbale at the FIREWALL at this is at port 80 and People coming from the DMZ towards my FIREWALL are allowed if they want a request for port 80. I do not think this is what you want. You have yoyr Webserver at the DMZ, NOT_ON_THE_FIREWALL am I correct to understand
# 13.) FW_FORWARD="192.168.1.0/24,192.168.5.2,tcp,80"
This is correct
# 14.) FW_FORWARD_MASQ="0/0,192.168.5.2,tcp,80"
This is correct
# 16.) FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
Good Basicly wişth this setup you should be able to have your webserver accessible from the Internet and from your local net. If you can not reach from the internal net it should give you some error messages. What does the logs say. Try after this setup to go to your webserver. If you go in then everything is OK if not logs should say why it dropped send that part to the list and let's try again
# 23.) # Allow same class routing per default? # REQUIRES: FW_ROUTE # # Do you want to allow routing between interfaces of the same class # (e.g. between all internet interfaces, or all internal network interfaces) # be default (so without the need setting up FW_FORWARD definitions)? # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_CLASS_ROUTING="no"
Hint If you place FW_MASQ_NETS=192.168.0.0/16 then enable this one to yes and make sure is set empty FW_FORWARD="" This will make that interfaces on the same class in this case /16 can do routing among eachother without FW_FORWARD rules -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx