Firewall Wizards mailing list archives
Re: Gauntlet source IP address re-write question
From: "Bruce B. Platt" <bbp () comport com>
Date: Tue, 10 Nov 1998 09:31:08 -0500
At 12:36 PM 11/9/98 -0800, Christopher Michael wrote: ->At 11:40 AM 11/9/98 -0500, Joseph S D Yao wrote: ->>Raptor enables wholesale transparency of your network, letting people ->>outside route anything THEY want to anywhere on your network. This is ->>why we don't like it and don't use it. Gauntlet transparency does the ->>same thing, to some degree. -> ->Gauntlet transparency *only* means that packets addressed to a destination ->on the other side of the firewall are directed to the proxies. It is ->typically used to allow users on the inside to use network applications ->without having to enter the firewall as a proxy server in their configs. -> ->Transparency or not, you have to go through a proxy to get through Gauntlet ->(unless you've enabled packet filtering--which is a whole 'nouther story). ->The proxy rules determine what you have access to. -> To broaden this a bit. Transparency can mean transparent operation both ways. A truly flexible firewall proxy can be set up to allow transparency BOTH ways. I.e., to allow any host on the red network to connect to any host on the blue net, or vice-versa. One way to do this is by enabling rules in the packet screening daemon, like: from interface blue to interface red tcp port xxxx proxy; from interface red to interface blue tcp port xxxx proxy; This sort of flexibility demands that the firewall administrator be extremely careful to create approprate and thoughtful .acl files and/or blacklist entries to keep connections under control with regular inspection of logs to be sure you get what you expect. Also, when one creates a transparent proxy, often the initial configuration of the proxy as transparent "inbound" (from red net to blue net) also implies transparent outbound as well. For example, one can create a trasnaprent inbound proxy for POP-3 mail to allow people outside a corporate firewall to retreive their e-mail from the e-mail server in the blue-net. Depending on the firewall, once the inbound connection is established, outbound traffic will flow as well, enabling in this case a full POP-3 dialogue. More well known is the penchant for putting web-servers behind a transparent inbound proxy so anyone on the red-net can access either a specic web-server on the blue-net or a re-directing load-balancing router. I won't go into the risks of what happens when someone manages to compromise either the web servers or the POP mail server in these scenarios, or whether this is a good strategy, I cite these as examples only of getting two-way transparency when setting up one-way. Regards +--------------------------------------+ Bruce B. Platt, Ph.D. Comport Consulting Corporation 78 Orchard Street, Ramsey, NJ 07446 Phone: 201-236-0505 Fax: 201-236-1335 bbp () comport com, bruce@ bruce.platt@
Current thread:
- Re: Gauntlet source IP address re-write question, (continued)
- Re: Gauntlet source IP address re-write question Joseph S D Yao (Nov 09)
- Re: Gauntlet source IP address re-write question Christopher Michael (Nov 09)
- Gauntlet and Transparency questions Steve George (Nov 10)
- Re: Gauntlet and Transparency questions Christopher Nielsen (Nov 11)
- Re: Gauntlet and Transparency questions Rick Murphy (Nov 11)
- Re: Gauntlet and Transparency questions Inno Eroraha (Nov 11)
- Re: Gauntlet and Transparency questions Frederick M Avolio (Nov 11)
- Re: Gauntlet and Transparency questions Chris Michael (Nov 12)
- Re: Gauntlet source IP address re-write question Christopher Michael (Nov 09)
- Re: Gauntlet source IP address re-write question Joseph S D Yao (Nov 09)
- RE: Gauntlet source IP address re-write question Burgess, John (EDS) (Nov 10)
- Re: Gauntlet source IP address re-write question Dale Lancaster (Nov 10)
- Re: Gauntlet source IP address re-write question Bruce B. Platt (Nov 10)