Firewall Wizards mailing list archives
Re: SingleHomedHost
From: Joseph S D Yao <jsdy () cospo osis gov>
Date: Tue, 29 May 2001 10:27:15 -0400
On Thu, May 24, 2001 at 03:45:26PM +0000, Al.G. Protosimaki wrote:
I am hoping someone can help with this problem. I am reading Building Internet Firewalls (Oreilly) In their design section, they discuss a Screened Host deployment, which consists of: 1. A packet-filtering router 2. A single homed host running a Proxy Server 3. A LAN INTERNET ------- PFR ------------- LAN | | PS I understand why the Packet-Filtering Router needs to be configured so that it will only allow incoming connections that are destined for the Proxy Server. I also understand why the Packet-Filtering Router should drop outgoing packets, unless they originate from the Proxy Server. However, since the Proxy Server only has one NIC, and since it appears to be on the same segment as the internal LAN, how does the Proxy Server intercept outgoing traffic? Building Internet Firewalls seems to suggest that the NIC needs to be put into promiscuous mode, so that it can intercept all outbound traffic. This seems to me to be a strange solution. For example, if the LAN uses a switch, how can the PS intercept the traffic? I guess my problem is that I do not understand, from a network design perspective, how one can design a network system that forces all outgoing traffic to be diverted to the single-homed box.
Your mistake is assuming that the other systems on that network are accessible and accessed from the outside. They are not. Only the PS IP address is available from the outside. This is enforced by the PFR. The PS proxies all requests from the inside and outside so that both inside and outside appear to be addressing a single IP address as proxy, but that one machine - and only that one machine - has access to both worlds. At least, as I understand it. I hope that this helps. I prefer a dual- or multi-homed proxy server. -- Joe Yao jsdy () cospo osis gov - Joseph S. D. Yao OSIS Center Computer Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- SingleHomedHost Al.G. Protosimaki (May 25)
- Re: SingleHomedHost Drew Simonis (May 25)
- Re: SingleHomedHost Ryan Russell (May 25)
- Re: SingleHomedHost Joseph S D Yao (May 30)
- <Possible follow-ups>
- RE: SingleHomedHost Elizabeth Zwicky (May 25)