I've got an Cisco dial-in ISDN-router to connect a LAN to the InterNet. Mr. Boss wants a firewall to be placed behind the Cisco. Now I thought I could set up an old 486/40 box with two NICs and SuSE 7.0 to do the trick. It's no problem to install the box with an own dial-in device (modem). It does firewalling and masquerades the LAN nicely. If I switch of masquerading and set the world device to eth1 (towards the Cisco), it stops incoming packets from the LAN. I can watch them com in on eth0 with tcpdump but they don't show up on eth1 of the "firewall" PC. They come through when I enable masquerading again but then I get double MASQ and my LAN boxes get confused. How can I solve this with yast ? I'd rather not set up own rule sets before I get deeper into the topic. I'd like at least the protection that the SuSE dudes could produce with their sophisticated script. Btw. I asume real clever hackers get in almost everywhere but they are rare. On the other hand there are thousands of script kiddies scanning The Net when they are home from school or the whole day if they have a flat rate. Their scanners are pounding our Cisco which presumably doesn't offer services to the outside itself but does masquerade our LAN. Is there a potential danger that a subseven probaply lurking in a LAN-box could answer the call of such a scan and offer it's services to the attacker ? In other words doesn't masqurading itself offer a good deal of security since it hides our PCs ? Later Andreas