> You can always use IP passthrough on the DMZ (with public IPs). We > have moved to that sort of setup in which case the firewall ever > chokes you just remove it and put a secondary IP on your border router > until you get the firewall back in place.
There's nothing wrong with that, but the issue that Mr. Davies brought up was running services on non-standard ports, which is the same whether you are running NAT or Passthrough. Since the NAT for servers has to be static, the security features of using NAT vs IP Passthrough on the DMZ are probably about even, but using NAT still allows you a lot more flexibility in configuration, and can save IP addresses if you can use one IP address for two or more services running on different machines. Because of the minimal hardware requirements of the GNAT Box, I would keep a full spare in any situation where uptime is critical. Swapping in the spare GNAT Box would probably be quicker than removing the GNAT Box to connect your servers directly to the router (no cables to re-route!), and has the added advantage of not taking the PRO network off the Internet. Mike Burden Lynk Systems (616)532-4985 [EMAIL PROTECTED]
