The Black Hole firewall uses two methods to move data from
inside/outside. The real distinction is whether or not the
real destination address is available, or specifiable. We use the
following definitions when talking to each other:
gateway - this is something where the user connects to the firewall,
and says "connect me there" to the gateway. Most of the TIS
programs fall into this category without the "-plug-to" clause.
proxy - the firewall figures out where the data is supposed to go,
and just connects things through (after appropriate challenges).
Our firewall spoofs for every IP address, and makes this
information available to the proxies. In the "-noauth" case,
the user just doesn't know the firewall is there. Because you
avoid the "-plug-to" restriction on destinations, things like
NNTP feeds to multiple places is no problem, port 119 just works.
filter - our firewall doesn't any filtering of packets, since we
don't in normally route any packets.
If the internal network is a private (unrouted) one, then all
proxies must behave in gateway mode, and prompt for the final
I would put SOCKified systems in the "proxy" category, it is just
the final destination address is passed along in a different fashion.
:!mcr!: | <A HREF="http://www.milkyway.com/">Milkyway Networks Corporation</A>
Michael Richardson | Makers of the Black Hole firewall
NCF: aa714 || xx714 | +1 613 596-5549
Home: <A HREF="http://www.sandelman.ocunix.on.ca/People/Michael_Richardson/Bio.html">mcr @
ca</A>. PGP key available.
From: cnewmark @
com (craig newmark)