mailing list archives
From: "Al.G. Protosimaki" <aprotosimaki () hotmail com>
Date: Thu, 24 May 2001 15:45:26
I am hoping someone can help with this problem.
I am reading Building Internet Firewalls (Oreilly)
In their design section, they discuss a Screened Host deployment, which
1. A packet-filtering router
2. A single homed host running a Proxy Server
3. A LAN
INTERNET ------- PFR ------------- LAN
I understand why the Packet-Filtering Router needs to be configured so
that it will only allow incoming connections that are destined for the Proxy
I also understand why the Packet-Filtering Router should drop outgoing
packets, unless they originate from the Proxy Server.
However, since the Proxy Server only has one NIC, and since it appears to be
on the same segment as the internal LAN, how does the Proxy Server intercept
Building Internet Firewalls seems to suggest that the NIC needs to be put
into promiscuous mode, so that it can intercept all outbound traffic. This
seems to me to be a strange solution.
For example, if the LAN uses a switch, how can the PS intercept
I guess my problem is that I do not understand, from a network design
perspective, how one can design a network system that forces all outgoing
traffic to be diverted to the single-homed box.
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
firewall-wizards mailing list
firewall-wizards () nfr com
- SingleHomedHost Al.G. Protosimaki (May 25)