On my previous message I was asking why I was unable to ping to/from the net. And I found part of the answer. My configuration is just one host with one NIC to access the net, and I wanted to close everything but ssh and http by means of FW. Ip address of my NIC is set by dhcp client at boot time (actually is set by the corresponding scheme in /etc/pcmcia/network.opt). Dynamic ip adress really changes from time to time because I link to more than one network. This was config I was using:
FW_DEV_WORLD="eth0" FW_DEV_WORLD_eth0="10.0.0.1 255.255.255.0"
The problem is that the configuration above configures rules for static ip address 10.0.0.1 and when the interface goes up and gets a different ip address (dhcp) it does not work - in fact the FW does its job by filtering all packets to the lastest ip address. In the other hand, when I leave FW_DEV_WORLD_eth0 empty, at boot time the FW is not initilized (prompts error at phase 2 of 3) because dhcp client still has not set a valid IP address for eth0. So it seems that an address should be given for the FW to work properly... but I can not give an unkown IP in advance. The same scenario is would be present when connecting with modem to dial-up... usually before connecting you don't know your assigned ip. Is there a work around it??? Guess I can skip FW starting at boot time and write a script to start FW when dhcp client gets an ip address.