Hi Folx,
In case some of you haven't had the opportunity to try out a
transparent proxy product I'll give you a quickie on how it works.
Basically the dual homed bastion listens (i.e. promiscously (sp?))
on each of it's interfaces for packets which don't belong on that net and
based on rules, pass them out the other interface. By doing this a machine
inside your "unrouted" clean net can generate (say) a telnet packet for
some machine on the internet, the xparent proxy machine will see that
packet and recognise it as "non-local" traffic. It can then (governed by
access lists of course) make a socket connection with the originator
"fooling" the orginator into think it is the 'net machine that the packet
was destined for. While this is going on the xparent proxy then makes a
connection on it's other interface to the machine the orginator was trying
to contact and then completes the application circuit. Voila!! This is
great technology AFAIC.
Now for the question part. Quite a few products can behave as
outlined above. What I want to do is to have outside systems "application
circiuted" to internal machines via the transparent proxy. The problem is
however that the internal net is unrouted and has a "secret" address space.
This makes it impossible to give an internal address to somebody on the
'net and have them go through the transparent proxy as we would to get out.
To solve this problem, I thought what would be great is if the
transparent proxy machine could be told that packets destined for an
address on one of its interfaces that looks local (to an IP address that
does not really exist in the DMZ address space) should really be mapped to
a machine on the other interface.
For example...
Internet Services
| Machine
Router 192.1.1.1
192.1.1.254 |
| |
DMZ Net | 192.1.1.0 |
----------------------------------------------------------------------
|
192.1.1.253
Xparent Inside
Proxy System System
192.2.3.254 192.2.3.1
Inside Clean Net 192.2.3.0 | |
----------------------------------------------------------------------
The box 192.2.3.1 wants to get (say) an nntp feed, however
192.2.3.0 is not routed by the Internet routers. 192.1.1.0 is though. I
would like to instruct the "Xparent Proxy System" to take all packets
destined to 192.1.1.2 (notice it is not a real machine in the 192.1.1.0
net) for service nntp (port 119) and circuit gateway them to 192.2.3.1.
I should note that it's not good enough to have the nntp feed
directed at 192.1.1.253.119 and have it ciruited to 192.2.3.1.119, as there
could be more than one box inside that wants external representation (more
than one system wanting an nntp feed in this example - nntp was probably a
bad service to pick to explain the problem). I need to set up many 1 to 1
relationships instead of 1 to many or many to 1.
Does anybody know of any tranparent proxy firewall products that
can do this??
b.
--
Brian J. Murrell brian @
ilinx .
com
InterLinx Support Services, Inc. brian @
wimsey .
com
North Vancouver, B.C. 604 983 UNIX
Platform and Brand Independent UNIX Support - R3.2 - R4 - BSD
Follow-Ups:
|
|
