Hi, One small thing, I don't know what kind of response you will get from this list WRT to your question, but I think you might find the firewall mailing list at greatcircle.com a bit more helpful. That having being said, I think your diagram should actually look like: T1/Internet--- public server ---- firewall -------corporate net The firewall itself ideally should consist of an external router, bastion host and internal router. The bastion host would run your various proxies etc., the internal router would have your packet filtering and the external router while it could also have packet filters to prevent spoofing, many people don't install any filters on this machine. > I am more than just a little ignorant of how firewalls work, but from my > understanding, packets from the internal network are sent to the firewall > first, and once they are outside the network, they look as if they > originated on the firewall. Inbound packets from the external network, > are addressed to the firewall. Our mail and other > services would reside on a publicly accessable server. Basically correct. Your routing should be set up such that all traffic to/from the internal net and/or Internet *must* go through the firewall bastion host ( in the above configuration ). As such the packets would look as if they originated from the bastion. As to mail and other services ( I'm not too sure what these other services are ), they can reside on the internal net, providing that the bastion is set up to run some sort of proxying service that will forward mail to the internal net. This of course implies correct set up your DNS ( MX records ) and sendmail etc. > I am familiar with SCO, Solaris and Linux. I run Linux 1.1.95 and 1.2.1 > which have IP firewalling support within the kernel. What software can > I use to utilize that support? You could try the TIS FWTK ( or the commercial version Gauntlet ) to handle your proxying on the bastion host ( and no, I am not connected to TIS, I have just used their stuff and find it to be just great, so I recommend it to others ). The only caveat with TIS FWTK is that it currently runs on SunOs 4.1.3 although some folks have ported it to Solaris. Hope this helps, let me know if anything isn't clear =========================================================================== Larry Chin {Larry_Chin@ca.cch.com} System/Network Administrator CCH Canadian Ltd. (416) 441-4001 ext. 349 ===========================================================================