RE: Gauntlet source IP address re-write question

["Burgess, John (EDS)" <jburgess () railtex com>]

I have been running Raptor Eagle for the last 2 years, am currently
> running 5.X NT version and I can say that the comment "Raptor enables
> wholesale transparency of your network, letting people outside route anything
THEY want to anywhere on your network" does not appear to be true.  

Transparency of internal hosts must be actively configured and enabled.
This feature is easily controlled, not easily misconfigured and can be a
useful feature.

> ----------
> From:  Joseph S D Yao[SMTP:jsdy () cospo osis gov]
> Sent:  Monday, November 09, 1998 10:40 AM
> To:    esteban () ceap net
> Cc:    firewall-wizards () nfr net
> Subject:       Re: Gauntlet source IP address re-write question
>
> > This is a Gauntlet specific question, but I would like to hear about other
> > systems too. I am looking at implementing Gauntlet at some sites and have
> > come
> > across a question that I can't easily find an answer for. 
> >
> > Being an APG, the proxy rewrites the source IP address of connections
> > outgoing
> > from the internal protected networks to that of the outside interface of
> > the
> > firewall.
> >
> > I.e, if I telnet from an internal machine to some machine on the Internet
> > and
> > do a "who", I will see myself logged in from the external IP address of the
> > firewall.
> >
> > There is an option for "transparency" in Gauntlet, but from what I can tell
> > from the documentation, it only works in such a way that the internal users
> > can
> > initiate connections directly to the outside world. Transparency in that
> > case
> > provides for not having to reconfigure internal users' machines.
> >
> > The problem is the IP address rewrite.  When I connect to some external
> > host
> > with whatever application, I want to see the source IP address as the real
> > IP
> > address, not the IP address of the firewall. Is there such a way to make
> > Gauntlet do that? As far as I can tell, the only way is to use the "Plug"
> > proxy, which does have an option for passing the source IP address. But
> > there
> > is no such option on the telnet proxy setup.
> >
> > Raptor, on the other hand, in the last release of their software
> > implemented a
> > whole scale transparency that does accomplish maintaining the source IP
> > address
> > of connections coming across the proxies. Is there really no such
> > comparable
> > option in Gauntlet? Can you turn off source IP address re-write? Maybe I
> > missed
> > something.
>
> Raptor enables wholesale transparency of your network, letting people
> outside route anything THEY want to anywhere on your network.  This is
> why we don't like it and don't use it.  Gauntlet transparency does the
> same thing, to some degree.  (Yes, as I understand it, for telnet,
> too.)  You'll have to decide whether you feel comfortable exposing
> yourselves like that.
>
> --
> Joe Yao                                jsdy () cospo osis gov - Joseph S. D. Yao
> COSPO/OSIS Computer Support                                    EMT-A/B
> -----------------------------------------------------------------------
> This message is not an official statement of COSPO policies.