Hi, everyone, All is working here now. The opinion of the engineer I was working with is that the first netstat entry *is* wrong, since the address is outside the bounds of our network, but it isn't affecting anything, and my attempts to delete and correct the entry with the route command fail. Since it really doesn't break anything, we're going to worry about it later. The problems were, as I suspected, simple and stupid. I had forgotten to add a forward -j ACCEPT line for the server on the DMZ to ipchains. I put one line allowing everything, and suddenly everything worked. Needless to say, I need to replace it with specific lines only allowing specific ports. Yikes! Once that was fixed, tracert (the NT version of traceroute), ping, and so on all worked. Problem two (equally stupid) is the NetBIOS is *not* routeable, and I was trying to route authentication through the firewall. Duh! I needed to dual home the DC and turn IP forwarding off on that box so that it can't be used to do an end-around to get past the firewall. Consider it another limitation of how Microsoft chose to do NT authentication. (Like, who needs domains on more than one network and only one or two domain controllers, right? I mean, we all know you should buy at least one extra NT box for each net , don't we? Yuck!) Geez, I *knew* this, but forgot about. I've been thinking *nix and not thinking Microsoft. Anyway, we've got it, and all is well. I just have a pounding headache from hitting my head against the wall like an idiot. I should have known better! Oh, and whoever recommended gfcc as the graphical interface for the firewall: THANK YOU! It doesn't do everything we'd like, but it's got most of it and my Windows-oriented clients can work with it. Best, Caity Caitlyn M. Martin NetFerrets [EMAIL PROTECTED] _______________________________________________ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
