FW_DEV_EXT="eth0"
FW_DEV_INT="eth1"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="zone:ext"
FW_MASQ_NETS="172.16.0.0/24,0/0,icmp 172.16.0.0/24,0/0,tcp,22"
FW_NOMASQ_NETS=""
FW_PROTECT_FROM_INT="yes"
FW_SERVICES_EXT_TCP="111:142 144:388 1:24 26:109 3261:3305 3307:5800 390:630 5802:5900 5902:65535 632:635 637:872 874:992 994 996:3259"
FW_SERVICES_EXT_UDP="domain ipsec-nat-t isakmp"
FW_SERVICES_EXT_IP="esp"
FW_SERVICES_EXT_RPC=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_CONFIGURATIONS_DMZ=""
FW_SERVICES_INT_TCP="domain"
FW_SERVICES_INT_UDP="domain"
FW_SERVICES_INT_IP=""
FW_SERVICES_INT_RPC=""
FW_CONFIGURATIONS_INT="bind sshd"
FW_SERVICES_DROP_EXT=""
FW_SERVICES_DROP_DMZ=""
FW_SERVICES_DROP_INT=""
FW_SERVICES_REJECT_EXT=""
FW_SERVICES_REJECT_DMZ=""
FW_SERVICES_REJECT_INT=""
FW_SERVICES_ACCEPT_EXT="0/0,tcp 0/0,udp"
FW_SERVICES_ACCEPT_INT="0/0,tcp 0/0,udp"
FW_SERVICES_ACCEPT_RELATED_EXT=""
FW_SERVICES_ACCEPT_RELATED_DMZ=""
FW_SERVICES_ACCEPT_RELATED_INT=""
FW_TRUSTED_NETS="172.16.0.0/24 192.168.0.0/24,icmp 192.168.0.0/24,tcp,22"
FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
FW_FORWARD=""
FW_FORWARD_REJECT=""
FW_FORWARD_DROP=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="no"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="no"
FW_LOG_ACCEPT_ALL="no"
FW_LOG_LIMIT=""
FW_LOG=""
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"

## Type: yesno
## Default: yes
#
# Allow ICMP sourcequench from your ISP?
#
# If set to yes, the firewall will notice when connection is choking, however
# this opens yourself to a denial of service attack. Choose your poison.
#
# Defaults to "yes" if not set
#
FW_ALLOW_FW_SOURCEQUENCH=""

## Type: string(yes,no)
#
# Allow IP Broadcasts?
#
# Whether the firewall allows broadcasts packets.
# Broadcasts are used for e.g. for Netbios/Samba, RIP, OSPF and Games.
#
# If you want to drop broadcasts however ignore the annoying log entries, set
# FW_IGNORE_FW_BROADCAST_* to yes.
#
# Note that if you allow specifc ports here it just means that broadcast
# packets for that port are not dropped. You still need to set
# FW_SERVICES_*_UDP to actually allow regular unicast packets to
# reach the applications.
#
# Format: either
# - "yes" or "no"
# - list of udp destination ports
#
# Examples: - "631 137" allow broadcast packets on port 631 and 137
# to enter the machine but drop any other broadcasts
# - "yes" do not install any extra drop rules for
# broadcast packets. They'll be treated just as unicast
# packets in this case.
# - "no" drop all broadcast packets before other filtering
# rules
#
# defaults to "no" if not set
#
FW_ALLOW_FW_BROADCAST_EXT="no"

## Type: string
#
# see comments for FW_ALLOW_FW_BROADCAST_EXT
FW_ALLOW_FW_BROADCAST_INT="no"

## Type: string
#
# see comments for FW_ALLOW_FW_BROADCAST_EXT
FW_ALLOW_FW_BROADCAST_DMZ="no"

## Type: string(yes,no)
#
# Suppress logging of dropped broadcast packets. Useful if you don't allow
# broadcasts on a LAN interface.
#
# This setting only affects packets that are not allowed according
# to FW_ALLOW_FW_BROADCAST_*
#
# Format: either
# - "yes" or "no"
# - list of udp destination ports
#
# Examples: - "631 137" silently drop broadcast packets on port 631 and 137
# - "yes" do not log dropped broadcast packets
# - "no" log all dropped broadcast packets
#
#
# defaults to "no" if not set
FW_IGNORE_FW_BROADCAST_EXT="yes"

## Type: string
#
# see comments for FW_IGNORE_FW_BROADCAST_EXT
FW_IGNORE_FW_BROADCAST_INT="yes"

## Type: string
#
# see comments for FW_IGNORE_FW_BROADCAST_EXT
FW_IGNORE_FW_BROADCAST_DMZ="yes"

## Type: list(yes,no,int,ext,dmz,)
## Default: no
#
# Specifies whether routing between interfaces of the same zone should be allowed
# Requires: FW_ROUTE="yes"
#
# Set this to allow routing between interfaces in the same zone,
# e.g. between all internet interfaces, or all internal network
# interfaces.
#
# Caution: Keep in mind that "yes" affects all zones. ie even if you
# need inter-zone routing only in the internal zone setting this
# parameter to "yes" would allow routing between all external
# interfaces as well. It's better to use
# FW_ALLOW_CLASS_ROUTING="int" in this case.
#
# Choice: "yes", "no", or space separate list of zone names
#
# Defaults to "no" if not set
#
FW_ALLOW_CLASS_ROUTING=""

## Type: string
#
# Do you want to load customary rules from a file?
#
# This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
# READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom
#
#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
FW_CUSTOMRULES=""

## Type: yesno
## Default: no
#
# Do you want to REJECT packets instead of DROPing?
#
# DROPing (which is the default) will make portscans and attacks much
# slower, as no replies to the packets will be sent. REJECTing means, that
# for every illegal packet, a connection reject packet is sent to the
# sender.
#
# Choice: "yes" or "no", if not set defaults to "no"
#
# Defaults to "no" if not set
#
# You may override this value on a per zone basis by using a zone
# specific variable, e.g. FW_REJECT_DMZ="yes"
#
FW_REJECT=""

## Type: yesno
## Default: no
#
# see FW_REJECT for description
#
# default config file setting is "yes" assuming that slowing down
# portscans is not strictly required in the internal zone even if
# you protect yourself from the internal zone
#
FW_REJECT_INT="yes"

## Type: string
#
# Tuning your upstream a little bit via HTB (Hierarchical Token Bucket)
# for more information about HTB see http://www.lartc.org
#
# If your download collapses while you have a parallel upload,
# this parameter might be an option for you. It manages your
# upload stream and reserves bandwidth for special packets like
# TCP ACK packets or interactive SSH.
# It's a list of devices and maximum bandwidth in kbit.
# For example, the german TDSL account, provides 128kbit/s upstream
# and 768kbit/s downstream. We can only tune the upstream.
#
# Example:
# If you want to tune a 128kbit/s upstream DSL device like german TDSL set
# the following values:
# FW_HTB_TUNE_DEV="dsl0,125"
# where dsl0 is your pppoe device and 125 stands for 125kbit/s upstream
#
# you might wonder why 125kbit/s and not 128kbit/s. Well practically you'll
# get a better performance if you keep the value a few percent under your
# real maximum upload bandwidth, to prevent the DSL modem from queuing traffic in
# it's own buffers because queing is done by us now.
# So for a 256kbit upstream
# FW_HTB_TUNE_DEV="dsl0,250"
# might be a better value than "dsl0,256". There is no perfect value for a
# special kind of modem. The perfect value depends on what kind of traffic you
# have on your line but 5% under your maximum upstream might be a good start.
# Everthing else is special fine tuning.
# If you want to know more about the technical background,
# ADSL Bandwidth Management HOWTO
# is a good start
#
FW_HTB_TUNE_DEV=""

## Type: list(no,drop,reject)
## Default: drop
#
# What to do with IPv6 Packets?
#
# On older kernels ip6tables was not stateful so it's not possible to implement
# the same features as for IPv4 on such machines. For these there are three
# choices:
#
# - no: do not set any IPv6 rules at all. Your Host will allow any IPv6
# traffic unless you setup your own rules.
#
# - drop: drop all IPv6 packets.
#
# - reject: reject all IPv6 packets. This is the default if stateful matching is
# not available.
#
# Disallowing IPv6 packets may lead to long timeouts when connecting to IPv6
# Adresses. See FW_IPv6_REJECT_OUTGOING to avoid this.
#
# Leave empty to automatically detect whether your kernel supports stateful matching.
#
FW_IPv6=""

## Type: yesno
## Default: yes
#
# Reject outgoing IPv6 Packets?
#
# Set to yes to avoid timeouts because of dropped IPv6 Packets. This Option
# does only make sense with FW_IPv6 != no
#
# Defaults to "yes" if not set
#
FW_IPv6_REJECT_OUTGOING=""

## Type: list(yes,no,int,ext,dmz,)
## Default: no
#
# Trust level of IPsec packets.
#
# You do not need to change this if you do not intend to run
# services that should only be available trough an IPsec tunnel.
#
# The value specifies how much IPsec packets are trusted. 'int', 'ext' or 'dmz'
# are the respective zones. 'yes' is the same as 'int. 'no' means that IPsec
# packets belong to the same zone as the interface they arrive on.
#
# Note: you still need to explicitely allow IPsec traffic.
# Example:
# FW_IPSEC_TRUST="int"
# FW_SERVICES_EXT_IP="esp"
# FW_SERVICES_EXT_UDP="isakmp"
# FW_PROTECT_FROM_INT="no"
#
# Defaults to "no" if not set
#
FW_IPSEC_TRUST="no"

## Type: string
## Default:
#
# Define additional firewall zones
#
# The built-in zones INT, EXT and DMZ must not be listed here. Names
# of additional zones must only contain lowercase ascii characters.
# To define rules for the additional zone, take the approriate
# variable for a built-in zone and substitute INT/EXT/DMZ with the
# name of the additional zone.
#
# Example:
# FW_ZONES="wlan"
# FW_DEV_wlan="wlan0"
# FW_SERVICES_wlan_TCP="80"
# FW_ALLOW_FW_BROADCAST_wlan="yes"
#
FW_ZONES=""

## Type: string(no,auto)
## Default:
#
# Set default firewall zone
#
# Format: 'auto', 'no' or name of zone.
#
# When set to 'no' no firewall rules will be installed for unknown
# or unconfigured interfaces. That means traffic on such interfaces
# hits the default drop rules.
#
# When left empty or when set to 'auto' the zone that has the
# interface string 'any' configured is used for all unconfigured
# interfaces (see FW_DEV_EXT). If no 'any' string was found the
# external zone is used.
#
# When a default zone is defined a catch all rule redirects traffic
# from interfaces that were not present at the time SuSEfirewall2
# was run to the default zone. Normally SuSEfirewall2 needs to be
# run if new interfaces appear to avoid such unknown interfaces.
#
# Default to 'auto' if not set
#
FW_ZONE_DEFAULT=""

## Type: list(yes,no,auto,)
## Default:
#
# Whether to use iptables-batch
#
# iptables-batch commits all rules in an almost atomic way similar
# to iptables-restore. This avoids excessive iptables calls and race
# conditions.
#
# Choice:
# - yes: use iptables-batch if available and warn if it isn't
# - no: don't use iptables-batch
# - auto: use iptables-batch if available, silently fall back to
# iptables if it isn't
#
# Defaults to "auto" if not set
#
FW_USE_IPTABLES_BATCH=""

## Type: string
## Default:
#
# Which additional kernel modules to load at startup
#
# Example:
# FW_LOAD_MODULES="nf_conntrack_netbios_ns"
#
# See also FW_SERVICES_ACCEPT_RELATED_EXT
#
FW_LOAD_MODULES="nf_conntrack_netbios_ns"

## Type: string
## Default:
#
# Bridge interfaces without IP address
#
# Traffic on bridge interfaces like the one used by xen appears to
# enter and leave on the same interface. Add such interfaces here in
# order to install special permitting rules for them.
#
# Format: list of interface names separated by space
#
# Note: this option is deprecated, use FW_FORWARD_ALLOW_BRIDGING instead
#
# Example:
# FW_FORWARD_ALWAYS_INOUT_DEV="xenbr0"
#
FW_FORWARD_ALWAYS_INOUT_DEV=""

## Type: string
## Default:
#
# Whether traffic that is only bridged but not routed should be
# allowed. Such packets appear to pass though the forward chain so
# normally they would be dropped.
#
# Note: it is not possible to configure SuSEfirewall2 as bridging
# firewall. This option merely controls whether SuSEfirewall2 should
# try to not interfere with bridges.
#
# Choice:
# - yes: always install a rule to allow bridge traffic
# - no: don't install a rule to allow bridge traffic
# - auto: install rule only if there are bridge interfaces
#
# Defaults to "auto" if not set
#
FW_FORWARD_ALLOW_BRIDGING=""

## Type: yesno
## Default: yes
#
# Write status information to /var/run/SuSEfirewall2/status for use
# by e.g. graphical user interfaces. Can safely be disabled on
# servers.
#
# Defaults to "yes" if not set
#
FW_WRITE_STATUS=""

## Type: yesno
## Default: yes
#
# Allow dynamic configuration overrides in
# /var/run/SuSEfirewall2/override for use by e.g. graphical user
# interfaces. Can safely be disabled on servers.
#
# Defaults to "yes" if not set
#
FW_RUNTIME_OVERRIDE=""

## Type: yesno
## Default: yes
#
# Install NOTRACK target for interface lo in the raw table. Doing so
# speeds up packet processing on the loopback interface. This breaks
# certain firewall setups that need to e.g. redirect outgoing
# packets via custom rules on the local machine.
#
# Defaults to "yes" if not set
#
FW_LO_NOTRACK=""

## Type: yesno
## Default: no
#
# Specifies whether /etc/init.d/SuSEfirewall2_init should install the
# full rule set already. Default is to just install minimum rules
# that block incoming traffic. Set to "yes" if you user services
# such as drbd that require open ports during boot already.
#
# Defaults to "no" if not set
#
FW_BOOT_FULL_INIT=""
[/QUOTE]

here is my configuration file, i am also running child proxy on this server which is 172.16.0.1. i this firewall work as no host is allowed to go out unless 172.16.0.1, even if i stop firewall still hosts can access internet, what is my error up thier?


plz tnx in advance,