Today most ISP connections are done using a feature rich Wi-Fi DSL router, that possibly provides wired Ethernet connections as well. The DSL router performs masquerading to the internet. One or more isolated SUSE Linux machines want to connect to the internet but need not to communicate with each other. eth0 is the wired or Wi-Fi ethernet device connected to the DSL router:

FW_DEV_EXT="eth0"

Alternatively, if the internal machines want to exchange data with each other and the DSL router is trusted and configured to perform appropriate masquerading/filtering/forwarding then the associated ethernet device can be treated as internal:

FW_DEV_INT="eth0"

Another approach is to treat the network as external (and thereby blocking most traffic) but define a trusted subnet. This way only the trusted subnet IPs can communicate with each other, while external IPs from the internet are blocked:

FW_DEV_INT="eth0"
FW_TRUSTED_NETS="192.168.1.0/24"

A family owns multiple PCs, a SUSE Linux PC is connected to the internet via DSL. The family's LAN uses private IPs therefore masquerading has to be used. The Firewall provides no services whatsoever. The address of the LAN is 192.168.10.0/24.

FW_DEV_EXT="dsl0"
FW_DEV_INT="eth0"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_NETS="192.168.10.0/24"

Same network as above but additionally the Firewall is also connected to a wireless network. Hosts in the wireless network should get internet access but are not allowed to communicate with the internal network. The address of the WLAN is 192.168.20.0/24.

FW_ZONES="wlan"
FW_DEV_EXT="dsl0"
FW_DEV_INT="eth0"
FW_DEV_wlan="wlan0"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_NETS="192.168.10.0/24 192.168.20.0/24"

A company uses it's SUSE Linux PC to access the internet via DSL or other similar kind of broadband ISP connection. It has got a static IP address and a web server running on the PC plus it's mail-/pop3-server for the company. Squid is running to cache www traffic. No internal PC should have direct access to the internet. The LAN is connected to the interface eth0.

FW_DEV_EXT="dsl0"
FW_DEV_INT="eth0"
FW_SERVICES_EXT_TCP="smtp www"
FW_SERVICES_INT_TCP="smtp domain www pop3 3128"
FW_SERVICES_INT_UDP="domain"
FW_PROTECT_FROM_INT="yes"

A small company wants access to the internet for it's client PCs. Additionally the subsidiariaries client PCs should get access to the local network through an IPsec tunnel. Internet traffic should be masqueraded but not traffic between subsidiaries.

FW_DEV_EXT="dsl0"
FW_DEV_INT="eth0"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_SERVICES_EXT_UDP="isakmp"
FW_SERVICES_EXT_IP="esp"
FW_FORWARD="10.10.0.0/16,192.168.1.0/24,,,ipsec 192.168.1.0/24,10.10.0.0/16,,,ipsec"
FW_MASQ_NETS="0/0,!192.168.1.0/24

This company has got a more complex setup:

Internet
|
|           Web server
|               |
SUSE-Firewall----
|
|---Mail server
|
|---Database
|
Internal LAN
      

All Mail is delivered to the firewall. It also provides DNS service for the internal and external networks. There's a DMZ where a Web server resides (port 80 and port 443) which needs to connect to the Firewall to deliver mail to the internal network, send syslog messages and do DNS lookups. It needs also direct access to an internal database (bad idea!). All mail which is delivered to the firewall, is sent to the internal mail server. The mail server sends all mail destined for the internet to the firewall. Internal PCs which access the internet should be masqueraded.

The mail server on the firewall needs to be setup as a relay for the internal network. The mail server on the internal network has to use the firewall host as relay.

FW_DEV_EXT="eth2"
FW_DEV_INT="eth0"
FW_DEV_DMZ="eth1"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_NETS="192.168.1.0/24"
FW_SERVICES_EXT_TCP="smtp domain"
FW_SERVICES_EXT_UDP="domain"
FW_SERVICES_DMZ_TCP="smtp domain"
FW_SERVICES_DMZ_UDP="domain syslog"
FW_SERVICES_INT_TCP="smtp domain"
FW_SERVICES_INT_UDP="domain"
# access to the web server and allow access from the web server to the database
FW_FORWARD="0/0,200.200.200.200,tcp,80 \
    0/0,200.200.200.200,tcp,443 \
    200.200.200.200,192.168.1.3,tcp,4545"
# all DNS and mail is done by the firewall
FW_REDIRECT="192.168.1.0/24,0/0,tcp,53,53 \
    192.168.1.0/24,0/0,tcp,25,25 \
    192.168.1.0/24,0/0,udp,53,53"
FW_ALLOW_PING_DMZ="yes"

The redirect statements in this example are gimmicks to show how to use them. In this example they send any traffic from the internal network, which go via the firewall and a are destined to a target port of 53 (DNS) or 25 (Mail) to the local servers on the firewall.

Internet
|
|      Trusted_Company
|      |
|      |
SUSE-Firewall----Web server
|      |
|      |
|      |
|      |-- Admin Network
|
Internal LAN---Server (for the trusted_company)
|
Mail server
      

The company has a connection to the internet but also to an additional line to a trusted third party company, who needs SSH Access to an internal server ("Server" on the map). There is also a DMZ with a web server (www, https) which sends DNS, mail and syslog to the firewall. The web server has got a private IP Address, hence it must be reverse masqueraded. It gets being administrated with SSH from the Admin LAN. The Admin Network should be masqueraded to the internet and get full access. The Internal LAN should also be masqueraded to the internet but only be allowed to access www, https and ftp. Only TCP connections from the Admin network to the internal LAN should be allowed, not from the internal LAN to the Admin network. No traffic between the internet and the trusted company should be allowed. The firewall receives all mails and sends them to an internal mail server or to the internet. It also provides DNS service to it's internal/dmz networks.

The mail server on the firewall needs to be setup as a relay for the internal network. The mail server on the internal network has to use the firewall host as relay.

FW_DEV_EXT="eth3 eth4"
FW_DEV_INT="eth0 eth1"
FW_DEV_DMZ="eth2"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
# full access for Admin LAN, www/https/ftp for internal
FW_MASQ_NETS="10.0.1.0/24 10.0.2.0/24,,tcp,21 10.0.2.0/24,,tcp,80 \
    10.0.2.0/24,,tcp,443"
FW_SERVICES_EXT_TCP="smtp"
FW_SERVICES_DMZ_TCP="smtp domain"
FW_SERVICES_DMZ_UDP="domain syslog"
FW_SERVICES_INT_TCP="smtp domain"
FW_SERVICES_INT_UDP="domain"
FW_FORWARD="10.0.1.0/24,10.0.2.0/24,tcp 10.0.1.0/24,10.0.10.2,tcp,22"
# internet access to web server and trusted company access to internal Server
FW_FORWARD_MASQ="0/0,10.0.10.2,tcp,80 0/0,10.0.10.2,tcp,443 \
192.168.1.0/24,10.0.2.3,tcp,22"

Internet
|
|
|
Router
|
|
LAN -- Laptop with SuSEfirewall2
|
|
LAN Server
      

The LAN uses private IP addresses, masquerading is performed by a hardware router or another SuSEfirewall2 host. In addition to the LAN IP the laptop got an official IP address as well. The laptop has only one network interface and wants to offer ssh. The router forwards all traffic for that IP address to the laptop.

Since all traffic is forwarded to the laptop eth0 must be considered untrustworthy, i.e. external.

FW_DEV_EXT="eth0"
FW_SERVICES_EXT_TCP="ssh"
FW_TRUSTED_NETS="192.168.1.0/24"

Note that broadcasts are blocked in the external zone by default. You may change that to allow them in this scenario.