Firewall Wizards mailing list archives

Re: SingleHomedHost

From: Ryan Russell <ryan () securityfocus com>
Date: Fri, 25 May 2001 11:29:53 -0600 (MDT)

On Thu, 24 May 2001, Al.G. Protosimaki wrote:


INTERNET  -------  PFR  ------------- LAN
                               |
                               |
                              PS


The diagram is a bit out of date, and relfects a time when routers that
did packet filtering couldn't do both in and out on the same interface (or
performance dictated that you didn't) and they couldn't keep state.

A current diagram should have the line connecting the proxy directly to
the router, on a third interface.  That way the router can enforce who
gets to talk to what in the way you want. The inside only gets to talk to
the proxy on port 1080 or whatever, and the proxy can only get to the
Internet, and get replies back inside.

                                        Ryan

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

SingleHomedHost Al.G. Protosimaki (May 25)
- Re: SingleHomedHost Drew Simonis (May 25)
- Re: SingleHomedHost Ryan Russell (May 25)
- Re: SingleHomedHost Joseph S D Yao (May 30)
- <Possible follow-ups>
- RE: SingleHomedHost Elizabeth Zwicky (May 25)