Firewall Wizards mailing list archives
RE: SingleHomedHost
From: Elizabeth Zwicky <zwicky () counterpane com>
Date: Fri, 25 May 2001 09:31:40 -0700
I also understand why the Packet-Filtering Router should drop outgoing packets, unless they originate from the Proxy Server. However, since the Proxy Server only has one NIC, and since it appears to be on the same segment as the internal LAN, how does the Proxy Server intercept outgoing traffic?
The proxy server does not need to intercept the outgoing traffic; the hosts must direct their traffic to it. If the hosts do not direct traffic to it, the traffic won't get out. That is why the packet-filtering router drops outgoing packets from hosts other than the proxy server.
Building Internet Firewalls seems to suggest that the NIC needs to be put into promiscuous mode, so that it can intercept all outbound traffic. This seems to me to be a strange solution.
There are some transparent proxy servers that are able to work this way, which is a convenience, since when this works, you don't need to configure hosts to direct traffic to the proxy server. Transparent proxy servers like this are generally dual-interface and act as bridges, so that you can put them directly in front of the router. However, even if they aren't, in this configuration traffic that doesn't reach the proxy server doesn't get anywhere, and people will be strongly motivated to fix it. Elizabeth _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- SingleHomedHost Al.G. Protosimaki (May 25)
- Re: SingleHomedHost Drew Simonis (May 25)
- Re: SingleHomedHost Ryan Russell (May 25)
- Re: SingleHomedHost Joseph S D Yao (May 30)
- <Possible follow-ups>
- RE: SingleHomedHost Elizabeth Zwicky (May 25)