|
Firewall Wizards
mailing list archives
RE: SingleHomedHost
From: Elizabeth Zwicky <zwicky () counterpane com>
Date: Fri, 25 May 2001 09:31:40 -0700
I also understand why the Packet-Filtering Router should drop
outgoing
packets, unless they originate from the Proxy Server.
However, since the Proxy Server only has one NIC, and since
it appears to be
on the same segment as the internal LAN, how does the Proxy
Server intercept
outgoing traffic?
The proxy server does not need to intercept the outgoing traffic;
the hosts must direct their traffic to it. If the hosts do not
direct traffic to it, the traffic won't get out. That is why the
packet-filtering router drops outgoing packets from hosts other
than the proxy server.
Building Internet Firewalls seems to suggest that the NIC
needs to be put
into promiscuous mode, so that it can intercept all outbound
traffic. This
seems to me to be a strange solution.
There are some transparent proxy servers that are able to work this
way, which is a convenience, since when this works, you
don't need to configure hosts to direct traffic to the proxy server.
Transparent proxy servers like this are generally dual-interface
and act as bridges, so that you can put them directly in front
of the router. However, even if they aren't, in this configuration
traffic that doesn't reach the proxy server doesn't get anywhere,
and people will be strongly motivated to fix it.
Elizabeth
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
- SingleHomedHost Al.G. Protosimaki (May 25)
- <Possible follow-ups>
- RE: SingleHomedHost Elizabeth Zwicky (May 25)
| 
Intro
