At 20:02 11/03/01 -0500, Paul D. Robertson wrote:
>On Mon, 12 Mar 2001 [EMAIL PROTECTED] wrote:
>
> > hello
> > i have a question about transparent proxy.
> > if it build in app level, i thought it's impossible for transparent .
> > what's wrong with me?
> > thanks for all help
>
>Basicly, transparent proxies usually sit where a router would, and inspect
>the traffic going through them on a raw socket and place them through an
>application layer filter of sorts (in the worst-case), or answer back as
>the original target and forward their own requests out (in the best case)
>through their external interface.
Paul, they don't need to use raw sockets (well, you said "basically", so....).
I'd say:
a proxy is said transparent when the user does'nt need to refer to it.
Technically, something redirects the flow to the proxy. That "something" is
a smart IP stack modification that does that. This is either done "easily"
by handing the traffic to the local transport handler (mostly the TCP stack)
or by doing NAT based redirection. The former is the simplest and is
implemented
in Linux ip filters, BSD ipfw, Gauntlet, and many others. the nat method is
implemented by ipfilter and others. The advantage of the first method is
that the
proxy can retrieve the "real" destination by just a sockname(). while the
nat method
requires an integration with the NAT module (there are patches to be
compatible with
ipnat/ipfilter).
Note that you shouldn't take the word transparent literally. The proxies
generally do
a connection to their server using their own address. so the server gets
the proxy IP
address as the client address. some proxies may transmit the original IP
address
as part of data (such as an http header), but this is not guaranteed.
Some proxies may implement a "fully transparent" mode where they use the client
IP address for their requests, but this requires modifications to the
TCP/UDp stack
(simple transparency requires modifications to the IP stack, not the
TCP/UDP/* parts!).
namely, normal stacks refuse a call to bind() to a non local address. As an
example,
this is provided by Gauntlet proxies using the "force_source_address"
directive (or something
like that, I forgot...).
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
