-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks for the fast reply. Armin Schoech wrote: | --> make sure to use /etc/hosts.allow hosts.deny as a second layer of | security after the firewall. Allready done. And Webserver and SMB etc. are protected as well (accept connection only from trusted hosts). | --> Have a look at 10) in /etc/sysconfig/SuSEfirewall2. You can | finetune the services in the FW_TRUSTED_NETS variable. Example: | | FW_TRUSTED_NETS="123.123.0.0/16,tcp,ssh 195.195.yyy.zzz,tcp,80" One thing I did not get here: Is it possible to set more than one protocol,port per IP-address (i.e. listing internal computers with explicit access to www, smb, nfs, ssh while listing the timeserver only with access to ntp? And what might be the syntax here (more comma-separated stuff IP1,Protocol1,PortOfProtocol1,Protocol2,PortOfProtocol2 or a (very long) list of IP1,Protocol1,PortOfProtocol1 IP1(thesame),Protocol2,PortOfProtocol2 etc."? Could not find a clear hint for that, from /sbin/SuSEFirewall2 it seems that the second option is the only possibility, I'm just unsure if more than one rule can be set per IP (i.e. if only the first or the last one gets activated or if they add up). Or is this not possible in general? - -- Bye, Marc Saric Dr. Marc Saric, Bioinformatik, Proteom Centrum Tübingen, Paul-Ehrlich-Str. 15, D-72076 Tübingen, Germany, Tel: +49 (0)7071 29 77645, marc.saric@uni-tuebingen.de http://www.proteom-centrum-tuebingen.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAUJV1BLD6PjSWyL4RAiVuAJ0XlAuFWLgqro5/qaeW+FcfDr7H3gCeIUQU j7iai3a5axWWX7jz1b1QccA= =gWht -----END PGP SIGNATURE-----