Re: proxies and firewalls
On Monday 02 February 2004 19:04, you wrote: > Thanks for the detailed explanation. > The light bulb has turned on in my head. > I learn something new all the time on this list. > > So let me put this in my own words to verify I understand correctly. > Lets say I have gateway box running 5 PCs on LAN behind it, > with cable dhcp connection to ISP. > The gateway box runs IPFILTER firewall and IPNAT to do NAT function. > > I can discontinue using IPNAT and install an application level proxy > server on my gateway box and it will by default intercept all LAN > and gateway originating packet traffic destine for the public > internet after it's processed by my firewall and handle the > bi-directional traffic transparently? Well, at home I'm using both NAT and a proxy server, but that's because I can't play some online games by means of the proxy server, and the MSN clients are refusing to work my proxy server as well, but for browsing all four the computers are using the proxy server. I'm not running a firewall, because the proxy server provides decent security for home use here. All the ports are closed except those which are needed. (Webserver, Mail server etc) If you're at a small company then the current situation you describe seems just fine to me. If you're at home then you can use this as well, but if you got a gamer at home he isn't going to be happy since you can't really use a proxy for online gaming. So it depends a bit Hope this helped a bit. Cheers, Jorn ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: proxies and firewalls
Thanks for the detailed explanation. The light bulb has turned on in my head. I learn something new all the time on this list. So let me put this in my own words to verify I understand correctly. Lets say I have gateway box running 5 PCs on LAN behind it, with cable dhcp connection to ISP. The gateway box runs IPFILTER firewall and IPNAT to do NAT function. I can discontinue using IPNAT and install an application level proxy server on my gateway box and it will by default intercept all LAN and gateway originating packet traffic destine for the public internet after it's processed by my firewall and handle the bi-directional traffic transparently? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, February 02, 2004 12:02 PM To: JJB Cc: Jorn Argelo; [EMAIL PROTECTED] Subject: Re: proxies and firewalls > I have Lan with private ip address that send packets to > public internet. How does an proxy server solve the private ip > address versus my public ip address problem? Simply through not routing / NATting at all. Instead of just forwarding the packets rewriting the IP headers like a NAT device does, an application layer proxy does the connections to the outside world *INSTEAD* of the client. To use the popular example of HTTP: While a NAT device will just forward and rewrite your query to a server's port 80/TCP and then forward and rewrite the reply according to its connection table, an application layer proxy will do the query *itself*. It will then process the reply, identify whether it looks like HTML that matches its quality/security requirements and then give a friendly reply to the client that originally did the query. Again, the proxy itself plays client on the application layer. This of course means that all outgoing connections are also done with the external IP address of the application level proxy machine. Clear now? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: proxies and firewalls
Proxy doesn't necessarily solve the privateIP-to-publicIP problem. NAT does: http://www.cablemodemhelp.com/proxy_vs_nat.htm Proxy is application level. NAT is address translation. HTH, Christopher Hollow JJB wrote: Thanks for your reply, But I must be thick headed this morning, because what you say below makes no sense to me. I checked out the 2 referenced descriptions and they say nothing about doing nat. I have Lan with private ip address that send packets to public internet. How does an proxy server solve the private ip address versus my public ip address problem? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Monday, February 02, 2004 11:28 AM To: JJB Cc: Jorn Argelo; [EMAIL PROTECTED] Subject: Re: proxies and firewalls Are you saying you know of an proxy server that does the nat function? Actually, the point of having proxies is *not* having to route. Your proxy machine should not be able to forward packets. Roughly, there a two different sub-groups: Circuit layer and application layer proxies, names should be self explaining. Example for an app layer gateway: Port: fwtk-2.1 Path: /usr/ports/security/fwtk Info: A toolkit used for building firewalls based on proxy services Example for a circuit level proxy: Port: nylon-1.2 Path: /usr/ports/net/nylon Info: A Unix SOCKS 4 and 5 proxy server Socks5 is already app layer, too, IIRC. Cheers, J. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: proxies and firewalls
> I have Lan with private ip address that send packets to > public internet. How does an proxy server solve the private ip > address versus my public ip address problem? Simply through not routing / NATting at all. Instead of just forwarding the packets rewriting the IP headers like a NAT device does, an application layer proxy does the connections to the outside world *INSTEAD* of the client. To use the popular example of HTTP: While a NAT device will just forward and rewrite your query to a server's port 80/TCP and then forward and rewrite the reply according to its connection table, an application layer proxy will do the query *itself*. It will then process the reply, identify whether it looks like HTML that matches its quality/security requirements and then give a friendly reply to the client that originally did the query. Again, the proxy itself plays client on the application layer. This of course means that all outgoing connections are also done with the external IP address of the application level proxy machine. Clear now? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: proxies and firewalls
Thanks for your reply, But I must be thick headed this morning, because what you say below makes no sense to me. I checked out the 2 referenced descriptions and they say nothing about doing nat. I have Lan with private ip address that send packets to public internet. How does an proxy server solve the private ip address versus my public ip address problem? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Monday, February 02, 2004 11:28 AM To: JJB Cc: Jorn Argelo; [EMAIL PROTECTED] Subject: Re: proxies and firewalls > Are you saying you know of an proxy server that does the nat > function? Actually, the point of having proxies is *not* having to route. Your proxy machine should not be able to forward packets. Roughly, there a two different sub-groups: Circuit layer and application layer proxies, names should be self explaining. Example for an app layer gateway: Port: fwtk-2.1 Path: /usr/ports/security/fwtk Info: A toolkit used for building firewalls based on proxy services Example for a circuit level proxy: Port: nylon-1.2 Path: /usr/ports/net/nylon Info: A Unix SOCKS 4 and 5 proxy server Socks5 is already app layer, too, IIRC. Cheers, J. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: proxies and firewalls
> Are you saying you know of an proxy server that does the nat > function? Actually, the point of having proxies is *not* having to route. Your proxy machine should not be able to forward packets. Roughly, there a two different sub-groups: Circuit layer and application layer proxies, names should be self explaining. Example for an app layer gateway: Port: fwtk-2.1 Path: /usr/ports/security/fwtk Info: A toolkit used for building firewalls based on proxy services Example for a circuit level proxy: Port: nylon-1.2 Path: /usr/ports/net/nylon Info: A Unix SOCKS 4 and 5 proxy server Socks5 is already app layer, too, IIRC. Cheers, J. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: proxies and firewalls
Friend Jorn Are you saying you know of an proxy server that does the nat function? Please point me to it. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jorn Argelo Sent: Monday, February 02, 2004 5:04 AM To: Hiren Cc: [EMAIL PROTECTED] Subject: Re: proxies and firewalls When one is connected to a proxy server, the proxy server makes a connection to the outside world and transports the data to the computer who is requesting that information. So the client computer won't make a true connection to the outside world, but it only connects to the proxy server. In there the administrator can give several rules to the proxy server what to allow/dissalow. For example you can disable that clients connect to the MSN port. If you use a proxy server your internal IP address will almost always be shown on sites that show your IP address rather then your true external IP address. Also, a proxy server caches files it collects from the net, thus making it accessable faster. NAT (Network Address Translator) does nothing more then translating your internal IP address to an external one. So there is a direct connection to the internet like that, and there is no caching done by the NAT server NAT is handy for home use, since you don't have to really tight up your security as you do with your company. So if you got a big company then you should definitely use a proxy server to let your people connect to the outside world. Cheers, Jorn On Monday 02 February 2004 10:38, Hiren wrote: > greetings all > > i often come across proxies and firewalls under the security section of > tutorials and guides, i have read that one can create proxies of any > internet service like ftp www etc. > my question is what exactly is a proxy and how does it play a role in > security, why and how does it replace NATing, and how does it play a > role in security with regard to NAT. what services can be proxied, is it > worth having and general advice. > > thanks all > Hiren. > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: proxies and firewalls
When one is connected to a proxy server, the proxy server makes a connection to the outside world and transports the data to the computer who is requesting that information. So the client computer won't make a true connection to the outside world, but it only connects to the proxy server. In there the administrator can give several rules to the proxy server what to allow/dissalow. For example you can disable that clients connect to the MSN port. If you use a proxy server your internal IP address will almost always be shown on sites that show your IP address rather then your true external IP address. Also, a proxy server caches files it collects from the net, thus making it accessable faster. NAT (Network Address Translator) does nothing more then translating your internal IP address to an external one. So there is a direct connection to the internet like that, and there is no caching done by the NAT server NAT is handy for home use, since you don't have to really tight up your security as you do with your company. So if you got a big company then you should definitely use a proxy server to let your people connect to the outside world. Cheers, Jorn On Monday 02 February 2004 10:38, Hiren wrote: > greetings all > > i often come across proxies and firewalls under the security section of > tutorials and guides, i have read that one can create proxies of any > internet service like ftp www etc. > my question is what exactly is a proxy and how does it play a role in > security, why and how does it replace NATing, and how does it play a > role in security with regard to NAT. what services can be proxied, is it > worth having and general advice. > > thanks all > Hiren. > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
proxies and firewalls
greetings all i often come across proxies and firewalls under the security section of tutorials and guides, i have read that one can create proxies of any internet service like ftp www etc. my question is what exactly is a proxy and how does it play a role in security, why and how does it replace NATing, and how does it play a role in security with regard to NAT. what services can be proxied, is it worth having and general advice. thanks all Hiren. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
