Hi, I recently have installed a firewall machine (SuSE 6.4, kernel 2.2.14) for a company connected to the internet via a 64K permanent leased line. Initially I was told there were no requirements to offer any services from inside the company to the outside (www, mail, etc.) so I went with a fairly simple setup (no DMZ) which would also fit their budget. Setup: Internet - Cisco Router - Linux Firewall - LAN While setting up the machine on site the IT department found out, that their new provider had taken over the domain name (as requested) and provided IP addresses for firewall.company.com, mail.company.com and also www.company.com all routed to the same network. Soon I was confronted with the wish to make their NT based mail server - residing on the internal LAN and formerly sending and recieving mail via a dialup-link (to the old provider) - talking to the outside world. Setting up a second firewall and a DMZ (which for me would have been the best solution security wise) was not an option. So I went with the ipmasqadm tool and now I am portforwarding mail to and from mail.company.com over the firewall machine. I am not very happy with this as it just opens more potential vulnerabilities. First question: does anyone have a better solution for this (given the setup and restrictions I described above)? Now, after connecting those guys to the internet they contacted me again with the next wish: certain employees are supposed to be able to connect from home/hotel/anyplace (of course outside the LAN) via firewall (or what they suggested first - a dialin server INSIDE the LAN *sigh*) to certain services inside their LAN (mainly fileservices). Doh! Second question: What would be a good/the best solution to give them access? I am extremly reluctant to let netbios and similar protocols cross the firewall, I also dont really want to provide dialup access on the firewall box and even less on a machine inside the LAN. Anything that will be transferred would have to be encrypted since I can't imagine they would want to transmit confidential material without some sort of protection. Ok, I started reading up on VPNs and related material. To be short, I am not familiar with this topic yet so I thought I try and get some advice from this mailinglist first before I waste hours of investigating useless material. All hints and/or links to material discussing this topic are very much appreciated. Thanks, Erwin Erwin Zierler | Web-/Hostmaster - Stubainet | Email: Erwin.Zierler@stubainet.at / webmaster@stubainet.at | Mobil: 0664 - 130 67 91 Tel.: 05225 - 64325 Fax 99