Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: SingleHomedHost

From: Elizabeth Zwicky <zwicky () counterpane com>
Date: Fri, 25 May 2001 09:31:40 -0700


I also understand why the Packet-Filtering Router should drop 
outgoing 
packets, unless they originate from the Proxy Server.

However, since the Proxy Server only has one NIC, and since 
it appears to be 
on the same segment as the internal LAN, how does the Proxy 
Server intercept 
outgoing traffic?


The proxy server does not need to intercept the outgoing traffic;
the hosts must direct their traffic to it. If the hosts do not
direct traffic to it, the traffic won't get out. That is why the
packet-filtering router drops outgoing packets from hosts other
than the proxy server.


Building Internet Firewalls seems to suggest that the NIC 
needs to be put 
into promiscuous mode, so that it can intercept all outbound 
traffic. This 
seems to me to be a strange solution.


There are some transparent proxy servers that are able to work this
way, which is a convenience, since when this works, you
don't need to configure hosts to direct traffic to the proxy server.
Transparent proxy servers like this are generally dual-interface
and act as bridges, so that you can put them directly in front
of the router. However, even if they aren't, in this configuration
traffic that doesn't reach the proxy server doesn't get anywhere,
and people will be strongly motivated to fix it.

        Elizabeth
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: