Firewall Wizards mailing list archives
Re: Gauntlet source IP address re-write question
From: Inno Eroraha <inno () patriot net>
Date: Sat, 07 Nov 1998 22:00:28 -0500
The problem is the IP address rewrite. When I connect to some external host with whatever application, I want to see the source IP address as the real IP address, not the IP address of the firewall. Is there such a way to make Gauntlet do that? As far as I can tell, the only way is to use the "Plug" proxy, which does have an option for passing the source IP address. But there is no such option on the telnet proxy setup.
Hmm... making the internal IP address visible to the outside world defeats the entire purpose of the address hidding by the firewall. But, if you must "advertise" your IP address to the world, Gauntlet provides some options: * Create filtering/screening rules (you really should use this option for "un-poxyable" connections such as UDP, GRE, ICMP, etc.). This works if you have routable IP addresses at both ends, unless of course you are using private IP addresses and doing NAT at the same time * For non-standard Gauntlet proxies, such as generic plugs, you have the option to enable "force_source_address." Again, you have to have a routable address at both ends. But assuming that you are using standard Gauntlet proxies such as tn-gw, http-gw, etc., you are robbed of this. Instead, you could do NAT (some given internal host appears as some outside host).
Raptor, on the other hand, in the last release of their software
implemented a
whole scale transparency that does accomplish maintaining the source IP
address
of connections coming across the proxies. Is there really no such comparable option in Gauntlet? Can you turn off source IP address re-write? Maybe I
missed
something.
Please keep in mind that enabling transparency doesn't necessarilly mean that your addresses will be masquaraded/hidden/rewritten by the firewall. By default, internal users get trasparency, but their address is re-written by the firewall, unless of course you are referring to transparency through filtering/screening rules. FYI, there is a Gauntlet mailing list, for Gauntlet-specific discussions, etc. (Go to: http://rmsbus.com/gauntlet-user.htm) for more info. -0- Inno Eroraha Network Security Consultant http://patriot.net/~inno/ PGPkey: http://patriot.net/~inno/pgpkey inno () patriot net
Current thread:
- Gauntlet source IP address re-write question esteban (Nov 07)
- Re: Gauntlet source IP address re-write question Inno Eroraha (Nov 09)
- Re: Gauntlet source IP address re-write question Chris michael (Nov 09)
- Re: Gauntlet source IP address re-write question Joseph S D Yao (Nov 09)
- Re: Gauntlet source IP address re-write question Christopher Michael (Nov 09)
- Gauntlet and Transparency questions Steve George (Nov 10)
- Re: Gauntlet and Transparency questions Christopher Nielsen (Nov 11)
- Re: Gauntlet and Transparency questions Rick Murphy (Nov 11)
- Re: Gauntlet and Transparency questions Inno Eroraha (Nov 11)
- Re: Gauntlet and Transparency questions Frederick M Avolio (Nov 11)
- Re: Gauntlet and Transparency questions Chris Michael (Nov 12)
- Re: Gauntlet source IP address re-write question Christopher Michael (Nov 09)
- <Possible follow-ups>
- RE: Gauntlet source IP address re-write question Burgess, John (EDS) (Nov 10)