hi, > The last I heard was that one of the networking guys gave this explanantion > and challenged someone to give an example of where this was the wrong > thing to do. The thread died there IIRC. > > Personally I think it's a great feature because in at least 99.99% of > cases it's exactly what you want and I havn't found an example of the > other 0.01%. okay - here´s a strange set-up, but if you think over it, it has some nice advantages. Assume you have a public network (e.g. 132.231.1.0) routed to your fw/gateway. For the dmz you use a private network (e.g. 10.10.10.0). In the dmz you have two public server (www 132.231.1.1 and mail 132.231.1.2). on the internal interface of the gw/fw use the ip 10.10.10.254. The two public server have the 2nd adress 10.10.10.1 (www) and 10.10.10.2 (mail). Now use the following route-entries: www and mail: 10.10.10.0/24 -> eth0 default -> 10.10.10.254 and on the firewall you set the following route entries: 10.10.10.0/24 -> eth0 132.231.1.1/32 -> 10.10.10.1 132.231.1.2/32 -> 10.10.10.2 This design has the (dis?)advantage that every packet with public ip addresses within the dmz is routed again over the fw/gw. For some security/accounting reasons this is not a bad idea <g> .\\ichael Schoen -- Michael Schoen <schoen@xxxxxxxxxx> _/_/_/ _/_/_/ ANDURAS AG i.G. Internet: www.anduras.de _/_/_/ Innstraße 71 Tel: 0851/4 90 50-0 _/_/_/ 94036 Passau Fax: 0851/4 90 50-55 _/_/_/ _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/