Firewalls: Re: transparent AG

Firewalls
(July 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: transparent AG
From:	lists @ lina . inka . de (Bernd Eckenfels)
Date:	Thu, 25 Jul 1996 18:55:17 +0200 (MET DST)
To:	firewalls @ greatcircle . com
In-reply-to:	<9607250418 . AA04473 @ iii . org . tw> from "Chih-hung Feng (791018)" at Jul 25, 96 12:18:43 pm

Hi,

>     I can understand this statement if it comes from a packet filter.
> But with an application gateway, how come such transparency be 
> implemented? For a poor soul whose only firewalling experience
> was with TIS FWTK and ip filter, a transparent AG sounds too good
> to be true.

It's very easy. Those proxies are able to listen to every TCP connection
with is issued Through the firewall instead of TO. That means: (this is an
example of a outgoing Transparent Proxy, incomming is as simple)


1.2.3.4    2.3.3.1 2.3.3.2    2.3.3.3
[REMOTE]--------[FW]----------[local]
                              telnet local
                  1.2.3.4:23<-2.3.3.3:1025

The firewall sees a TCP connections from local to remote. Instead of
forwarding the packets for this destination/port it accepts the Connection
itself. This means, that it receives packets directed for REMOTE and sends
them to the application layer and it sends answers from the Application
layer to the "local" client with the sender address of the romote host. Then
the FW looks at the establishedconnection and extracts the address of the
local and remote site. It authentificates the connection in any desired way
and then opens a connection from it external interface to the remote site.
(The firewall has two options here, it can use its own address as the sender
or the address of the local host:)

completely transparent:

1.2.3.4                 2.3.3.1  2.3.3.2               2.3.3.3
[REMOTE]----------------------[FW]---------------------[local]
                                                    telnet local
 1.2.3.4:23 <------2.3.3.3:1026  1.2.3.4:23 <------- 2.3.3.3:1025
"connection from local"

with address masquerading:
1.2.3.4                 2.3.3.1  2.3.3.2               2.3.3.3
[REMOTE]----------------------[FW]---------------------[local]
                                                    telnet local
 1.2.3.4:23 <------2.3.3.1:1026  1.2.3.4:23 <------- 2.3.3.3:1025
"connection from fw"

At least this is, how the Linux Transparent_proxy Support works. You can
redirect forwarded Connections to localports:

(meta Syntax)
ipfwadm localnet:any -> default:23   redirect fw:2000

Anytime somebody from the inside of your network tries to connect to a host
outside of the network he/she will be connected with port 2000 of the
firewall instead. On this port you have a normal Telnet-GW running, with the
exception that the GW doesnt ask for the destnation to connect to, but
guesses the Connection from the local address on the firewall the host is
connected to.

Greetings
Bernd
-- 
  (OO)      -- Bernd_Eckenfels @
 Wittumstrasse13 .
 76646Bruchsal .
 de --
 ( .. )  ecki @
 lina .
 {inka .
 de,ka.sub.org}  http://home.pages.de/~eckes/
  o--o     *plush*  2048/A2C51749  eckes @
 irc  +4972573817  *plush*
(O____O)       If privacy is outlawed only Outlaws have privacy

References:

transparent AG
From: chfeng @ iii . org . tw (Chih-hung Feng (791018))

Indexed By Date	Previous:	What to remove from a Solaris Kernel From: Terry Glanfield <terry @ ppsl . demon . co . uk>
Indexed By Date	Next:	Remote Access Software From: beatrice @ hermes . sgc . com (Beatrice Mukantabana)
Indexed By Thread	Previous:	Re: transparent AG From: Ken Hardy <ken @ bridge . com>
Indexed By Thread	Next:	RE: transparent AG From: Chris Pugrud <ChrisP @ steldyn . com>