Re: Transparent vs. Non-transparent AGs/SPFs/whatever

[Bill_Royds () pch gc ca]

So here's my question:

If I want transparency, am I essentially stuck trying to
determine protocol strictly by port number?  If I want to permit
people out to arbitrary port numbers, am I stuck with the
equivalent of a circuit-level proxy?

                         Ryan





Actually an Application Gateway can handle protocols even better because it
 can restrict the use of protocols to one defined by the firewall rules.


The proxy server is not determined by the port but by the mapping between
IP,Port and proxy.


AG's run transparently if they are are the one the pip between protected
network (inside) and unprotected Internet (outside).
All default routes of inside network, whether default gateway or router
defaults point to inside NIC of firewall.
For your example, thee firewall rules then say if that if any traffic comes
 in from inside NIC for port 2300 it will be proxied as telnet. No other
service will be allowed on port 2300.
Similarily for external traffic. Since there are 2 sessions on firewall for
 each connection (from inside to firewall, from firewall to external
server), you can even change the port on the way through or even change the
 protocol (always change ftp to ftp-PASV running under http).
You are not restricted to carrying the same packets on each side of the
firewall.