Gregg, If you're more comfortable with Win2K than BSD, then that's what I would recommend you stick with. A properly hardened NT box makes a decent bastion host.
I have had good success with Microsoft's ISA server. There are a few books I recommend if you go that route: Securing Windows NT/2000 Servers Stefan Norberg - 1-56592-768-0 Configuring ISA Server 2000 - Dr. Thomas Shinder - 1-928994-29-6 ISA Server and Beyond Dr. Thomas Shinder - 1-931836-66-3 The "beauty" of ISA server is that you only *need* one public IP address. Your mail server can be on your LAN using a private IP. You publish your mail service on the ISA box. Of course, you may configure a DMZ and place your mail server (with a public IP of its own) here. This requires enough IP's to do ( I don't think 5 is enough), as you'll need a 3rd NIC on the ISA box, plus burn 1 for the network id, etc. I ran Win2k and ISA on a Celeron 333a with 128MB - it was very slow to use the console, but our T1 line at 1.5 Mbps worked fine. It actually sped up some sites, as ISA can act as a cache as well. Best of luck with your implementation, BSD or otherwise! Regards, -Mike -----Original Message----- From: Gregg [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 29, 2003 4:41 AM To: [EMAIL PROTECTED] Subject: Security/Firewall question Hi everyone! I'm still pretty new to security and firewalls and such, and I'm having a problem wrapping my head around a couple of concepts. Here's what I have- I have a stand alone email server behind an Adsl router (with 4prt hub). The router is set to pass-thru (nat and firewall disabled). 1 port goes to a firewall device, and my LAN behind that. 1 port goes to my Email server, a Win2k box (hey, quit lookin at me like that). I've got a handful of fixed IP's to work with. Here's what I'd like to do- Keep everything the same BUT- put an OpenBSD box in between the router and the email server (protect the snivelling email server). So, I builts me dis purty OpenBSD box from the broken bodies of mine enemies past (a Dell Dim XPS V350 with a bad video card). Put 2 Nics in the beast. Lovely. Now, I have an IP from my block of 5 registered currently for my email server. I'm not certain if- I want to assign that IP to the OpenBSD firewall, and use NAT and/or RDR to pass on SMTP traffic on port 25 to the email server. Yes? No? Maybe? Am I a shame on my species? --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------