I believe the ports you will need to leave open for NetBIOS are TCP:138 and TCP:139 The ideal is to put the public servers in the DMZ, and allow NetBIOS traffic between the private zone and DMZ, while blocking NetBIOS access from the outside and allowing port 80 from the outside to the DMZ. I've worked for a company that is set up this way. If I remember right: outside to private: no access allowed. private to outside: NAT private to DMZ: unlimited access for specified private hosts (development/IT group only) DMZ to private: limited access to development/IT and private database servers. outside to DMZ: port 80, 443, 25, etc... only DMZ to outside: port 80 and 443 *replies* only, port 25, etc... Michael J. Sheldon Internet Applications Developer Phone: 480.699.1084 http://www.desertraven.com/ PGP Key Available on Request -----Original Message----- From: plug-discuss-admin@lists.PLUG.phoenix.az.us [mailto:plug-discuss-admin@lists.PLUG.phoenix.az.us]On Behalf Of Joel Dudley Sent: Friday, April 21, 2000 14:25 To: plug-discuss@lists.PLUG.phoenix.az.us Subject: firewall I am seting up a firewall for work using the standard squid/ipchains/marquerade setup. Our e-commerce servers are going to be on the public side of the firewall, they all run IIS on NT because our product is written in visual fox pro. Now the programmers on the private side of the firewall are going to want to be able to map drives on the public servers to change data. I told them that this is a no-no and that they should just use the development server I set up to make changes. Turns out they wont listen to me and the boss agrees with them. I beleive that all NT domain control will go out the window when I implement the firewall (if i set it up right), so all of the servers will reside in their own isolated "commerce" domain. is there any way I can allow this wondoze freaks to map drives accross tis network without comprimising too much security? maybe I sould just allow ftp access accross from the internal network. Thanks for any ideas on this situation. - Joel _______________________________________________ Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss