Hi ! I seem to have a problem with SuSEfirewall2. I administrate a Linux router (SuSE 8.0) for a small network. This router serves as a gateway to the Internet as well as a firewall between the Net and my LAN. The LAN`s mail server is also located on this machine, while the web server ist on 100.120.55.2. Every PC in the LAN has a public IP, so I have to use routing without masquerading. The firewall is supposed to block all traffic between the Internet and the LAN except for the following protocols/ports : pop3, pop3s, http, https, ftp, ftps, smtp, ssh, domain. I also have to keep the port 7271 open for licensing purposes. Following the example files I built the Config-file listed below. However, I am not really satisfied with its performance. For example, it should not be possible to establish a ftp- connection from the outside to one of my LAN computers, but the firewall doesn´t prevent this at all. Also I want only certain outside machines to be able to connect to port 7271 on a certain computer within the LAN, yet it seems everybody can. What did I do wrong ??? BTW, the IPs in the config-file below were changed, just to be on the safe side. Please help ! Thanks in advance, Jörg PS : Please reply to JLeicher@gmx.de, since I have not subscribed to this mailing list. Here comes /etc/sysconfig/SuSEfirewall2 : FW_DEV_EXT="eth1" FW_DEV_INT="eth0" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="no" FW_MASQ_DEV="" FW_MASQ_NETS="" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="no" FW_SERVICES_EXT_TCP="20 21 22 25 53 80 110 995" FW_SERVICES_EXT_UDP="53" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="20 21 22 25 53 80 110 995" FW_SERVICES_INT_UDP="53" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="no" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="100.120.55.0/6,0/0,tcp,80 / 100.120.55.0/6,0/0,tcp,110 / 100.120.55.0/6,0/0,tcp,22 / 100.120.55.0/6,0/0,tcp,25 / 100.120.55.0/6,0/0,udp,53 / 100.120.55.0/6,0/0,tcp,53 / 100.120.55.0/6,0/0,tcp,995 / 0/0,100.120.55.2,tcp,80 / 100.120.204.51,100.120.55.18,tcp,7127 / 100.120.204.56,100.120.55.18,tcp,7127 / 100.120.204.58,100.120.55.18,tcp,7127 " FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes" ## # END of rc.firewall ## # # #-------------------------------------------------------------------------# # # # EXPERT OPTIONS - all others please don't change these! # # # #-------------------------------------------------------------------------# # # FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"