Hi folks, I'm new here so just point me if my problem was already solved. So, I have Pentium box with updated SuSE 8.0, eth1 card to DSL modem, eth0 to internal network. It acts as masquerading router for all Internet connections from internal network. I don't want it to run any additional services beside SSH, if possible (no DNS, no proxies, etc.). So I configured firewall in YaST2 between ppp0 and eth0; only enabling ssh; allowing traceroute, doing masquerading, protecting all running services, NOT protecting from internal network; no logging options. So far, so good, I can access Internet and I hope to be protected. Now, I want to run webserver on one of the internal computers, that is accessible from Internet. Thus I've registered a domain by free dynamic DNS provider and IP address updated there is the one I've became upon dial-up from provider. I'm running inetd in its standard configuration on router. First, I was intrigued by the fact that although I can ping everything outside, I cannot ping this dyn IP nor my domain (translated to correct IP) from my internal, masqueraded network. Pinging from router works fine. I undeerstand it to be some anti-spoofing feature of FW to protect it from internal network. I surely can access my website with internal IP, but I want to test how it will be accessed from outside. Same situation for ssh the dyn IP or domain (from router ok, from internal network no way). So, I've tried to set FW_TRUSTED_NETS="192.168.0.0/24,icmp" to no avail. Then I also tried to put iptables -A INPUT -i eth1 -s 192.168.0.0/24 -d 192.168.1.1 -j ACCEPT (the destination is internal address of network card connected to modem) into antispoofing section of custom FW script and enable it in configuration, but failed too, as it is probably nonsense anyway. Also, how can I get internal network ping firewall box from outside??? Second, I wanted to "forward" everything coming to firewall from outside on port 80 to reach my webserver in internal network. I know it is a security hole, but I opt for it anyway. Thus I've defined following in configuration: FW_FORWARD_MASQ="0/0,192.168.0.4,tcp,80" Yet I cannot access my website by dyn domain from internal network (what may be related to previous problem). Even more obscure is that I cannot access the site when launching a browser at router too (for ping and ssh it worked there so I suspect this "reverse masquerading" not really functioning). Also, did anybody got webserver with no static IP residing in internal network to response through the SuSE firewall??? Is the kind of configuration I wish possible at all with SuSE8 FW2, or should I rather learn to write iptables manually or get some other firewall/packet filtering? Any help is very appreciated! Peter. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com