mailing list archives
From: Ryan Russell <ryan () securityfocus com>
Date: Fri, 25 May 2001 11:29:53 -0600 (MDT)
On Thu, 24 May 2001, Al.G. Protosimaki wrote:
INTERNET ------- PFR ------------- LAN
The diagram is a bit out of date, and relfects a time when routers that
did packet filtering couldn't do both in and out on the same interface (or
performance dictated that you didn't) and they couldn't keep state.
A current diagram should have the line connecting the proxy directly to
the router, on a third interface. That way the router can enforce who
gets to talk to what in the way you want. The inside only gets to talk to
the proxy on port 1080 or whatever, and the proxy can only get to the
Internet, and get replies back inside.
firewall-wizards mailing list
firewall-wizards () nfr com