On 10/28/2007 08:49 AM, primm wrote:
Thanks for the confirmation. I thought it was me going mad.
That's exactly what I had in 10.2 (except I had /24 not /32 as the mask) and what I've tried to do in 10.3.
I would use /32 since you are talking an exact IP address. After rereading your thread earlier, as i understood it, 192.168.1.1 is your LAN NIC. This would not need the rule, as it would not send packets out that interface to go to the internet, it would go out (IIUC 192.168.0.x) NIC and would be routed by the adsl router. 192.168.0.x (not sure what IP it is) should also be the gateway. So, IIUC, you would only need 192.168.1.2/32 in FW_MASQ_NETS. BTW, I am not sure /24 would work. I'm sure others will correct or verify that.
In 10.2 it works. In 10.3 it doesn't. I can't find anything explaining the differences between /etc/sysconfig/SuSEfirewall2 in 10.2 and 10.3. I know there are. But it's obviously a secret.
Yesterday I just upgraded our office server. I have used SuSEfirewall2 since 6.4, and have learned it is really quite a powerful firewall, but most of my FW_MASQ_NETS also include the destination address, protocol, and port. It is much more complicated than you seek. I also redirect the LAN through dansguardian (filter) and squid set up as a transparent proxy. I did not do extensive testing, but what I did said SuSEfirewall2 was work as it had in 10.2. I basically copied and pasted most of the rules I had from my 10.2 /etc/sysconfig/SuSEfirewall2. One change I noted, beside the return of eth0 type IF names, is the FW_MASQ_DEV. It used to be something like $FW_DEV_EXT, now it is zone:ext. Since mine seemed to work, I would suggest checking the subnet mask (i.e /32 for a single IP) and make sure your FW_MASQ_DEV is set correctly. Otherwise, perhaps try iptables -L to double check. HTH. -- Joe Morris Registered Linux user 231871 running openSUSE 10.3 x86_64 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org