Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

From: "Al.G. Protosimaki" <aprotosimaki () hotmail com>
Date: Thu, 24 May 2001 15:45:26

I am hoping someone can help with this problem.

I am reading Building Internet Firewalls (Oreilly)

In their design section, they discuss a Screened Host deployment, which consists of:

1. A packet-filtering router
2. A single homed host running a Proxy Server
3. A LAN

INTERNET  -------  PFR  ------------- LAN

I understand why the Packet-Filtering Router needs to be configured so
that it will only allow incoming connections that are destined for the Proxy Server.

I also understand why the Packet-Filtering Router should drop outgoing packets, unless they originate from the Proxy Server.

However, since the Proxy Server only has one NIC, and since it appears to be on the same segment as the internal LAN, how does the Proxy Server intercept outgoing traffic?

Building Internet Firewalls seems to suggest that the NIC needs to be put into promiscuous mode, so that it can intercept all outbound traffic. This seems to me to be a strange solution.

For example, if the LAN uses a switch, how can the PS intercept
the traffic?

I guess my problem is that I do not understand, from a network design perspective, how one can design a network system that forces all outgoing traffic to be diverted to the single-homed box.

Any ideas?



Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

firewall-wizards mailing list
firewall-wizards () nfr com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]