Hi, I have a quick question regarding firewalling using Firewall on CD and routing. The firewall on CD manual advises not to route packets, but to proxy wherever possible, and in the absence of a proxy for my particular application, I am looking to find out if what I want to do can be done without routing, and where the routing may need to be deployed. My opinion differs with the ISP, and I need a second opinion before I concede defeat or demand victory. The setup is that our office facility has a leased line terminating in a router, and provides internet connectivity to multiple clients from the one line. The router which the line terminates in is x.x.x.2 and every IP address we have traceroutes through that router. We have a block of 16 IP addresses from the block of 256 available, we have x.x.x.49..63 all in its own subnet with an appropriate subnet mask to keep the broadcasts local. The ISP installed some type of dumb gateway on 49 to allow our outgoing traffic reach the router on x.x.x.2 without being in the same subnet as that router, but all incoming traffic avoids the gateway on .49 All taceroutes for any of our 16 IP's route up to and including x.2 router. I propose to place a firewall with public interface on .50 and split the remaining IP addresses, x.51..63 into a disjoint network which I shall use as a DMZ. The dmz is intended to run http server, pop, smtp, and a special demo server and another server running VNC server. I propose to have the firewall route this traffice if it reaches the external interface for somthing in the DMZ. Outgoing traffic will be fine, but it is my understanding that inbound traffic on the leased line needs to know that it must route through x.50 in order to reach the servers located in the DMZ. I will configure the routing in the firewall. I have requested to the ISP that routing changes be made to x.2 so that all traffic for IP address x.51..63 be routed through my firewall located on x.50. The ISP says no, its not needed, it will work without it. I say he's an idiot. I went over his head to his manager, who also maintains that the routes are not needed to be added, and that its a waste of time, and I say that he's an idiot too. Can anyone out there confirm that these two guys are idiots, or is it me? TIA, Tom Crowe tom@songfield.com