At 03:29 08/12/00 +0100, Bernd Eckenfels wrote:
>On Thu, Dec 07, 2000 at 08:52:29PM -0500, Marcus J. Ranum wrote:
> > Can't do it without operating system mods to the underlying
> > host. The FTP protocol is so wretched that it's basically
> > impossible to proxy transparently.
>
>Actually good operating Systems support quite good functionality for doing
>that. Look at Linux' transparent Proxy Feature where you can actually
>redirect any traffic to a local daemon and you can bind to actually and
>port/ip combination. That way you can handle the control connection in
>userspace and set up static NAT entries for the permitted Data Connections.
>Or you can even run them through a content filter.
>
>I think BSDs have the same Feature?
yop' ipfw does the same "absorb" as on Linux (and as in the Gauntlet, at least
as the Gauntlet was:).
IP Filtercomes with a patch for the FWTK. It doesn't work without the patch
cos'
ip filtr always map addresses even if they are redirected to the local
stack. probably
because it has to run on solaris where the "got ours" wouldn't work:) I
would love it
if Darren adds an absorb for platforms where source code is available.
while that
would be OS specific, it has benefits: transprency is immediate (the standard
getsockname suffices), no need to recompute the checksum (packet is not
modified),
no need to keep a "NAT state" (except if a filtering rule requires it).
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
