You can nat this addresses whith it's self. -----Original Message----- From: Quentin Hartman [mailto:[EMAIL PROTECTED]] Sent: marted́ 4 giugno 2002 20.31 To: [EMAIL PROTECTED] Subject: Seemingly obvious Linux / BSD firewall question Colleagues- I am in the process of securing a network that currently is wide open. There are several publicly addressable subnets connected via a Cisco router which is in turn connected to another router which is where we get our Internet access (border router). I intend to physically place a firewall machine between the internal router and the border router. Some addresses on the network must remain publicly addressable, primarily for services from an ASP we use. All of the information I have found indicates that in order for a Linux/ BSD machine to act as a stateful firewall (or any kind of firewall for that matter), it must also be doing NAT translation. That intuitively seems wrong, and would make this sort of configuration unusable to me. It seems that a netfilter configuration should be able to do this without doing the NAT translation. Is all the documentation simply written assuming you need NAT as well, or is using it actually not avoidable? Based on my simple explanation of the configuration, do any of you have suggestions for firewall placement that may be better? Ideally, I would purchase the firewall addon software for the internal Cisco router, but it is too costly for my budget. -Regards- -Q-