Hi Again,
1) Is the routing ok ? How can I check the routing ? The SuSEfirewall-Script generates more rules than G.W. bushisms.
Print routing table: route -n General routing should look like this: fb7-fg6:~ # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface internal-ip 0.0.0.0 255.255.255.0 U 0 0 0 eth1 external-ip 0.0.0.0 255.255.255.0 U 0 0 0 eth0 dsl-ip 0.0.0.0 255.255.255.0 U 0 0 0 ppp0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 default-gw-ip 0.0.0.0 UG 0 0 0 ppp0 default gw is the ip you get from dsl, that should be set correct within dsl "dialup script" and resetted within dsl "dialout script"! If not add a rule within yast/network/dsl. Sometimes that routing stuff acts very strange -> maybe a reboot helps sometimes to reset everything after a change.
2) Are there any firewall log entries ? Nothing critical for the 'dead' Interface. But I have to retry with logging everything.
With this you get the firewalloutput in one file to analyse it: less /var/log/messages | grep DROP > Outputfile
3) Are you sure you don't masq your webserver's reply packets with the wrong IP ? (I understand that you now have 2 external IPs) I am completely unshure about everything! I guess, everything should be clear by understanding the IP rules. Is there a debugging tool for this ? -> /sbin/SuSEfirewall status # gives debug output of iptables sets in SuSEfirewall
Try: less /proc/sys/net/ipv4/ip_forward If you see a "1" you have forwarding enabled. Testing if network is running: unload firewall enable forwarding ping IP of eth0, eth1, ppp0 traceroute www.freenet.de # here we go to external and see where the route goes (e.g. here with freenet.de)! If you get errors here there is no problem with the firewall. The firewall should look: FW_DEV_EXT="eth0 ppp0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.0.0/24" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" configure the services and ports for your desire! # bad security, but for testing ... FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="yes" FW_KERNEL_SECURITY="yes" # for testing set to "yes" \/\/\/\/ FW_STOP_KEEP_ROUTING_STATE="yes" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_PING_EXT="yes" FW_ALLOW_FW_SOURCEQUENCH="no" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="yes" FW_REJECT="no" # for german t-dsl: FW_HTB_TUNE_DEV="ppp0,250" # not optimized: FW_HTB_TUNE_DEV="" Philippe