On Tue, 2005-10-04 at 08:10 +1000, Carlo Sogono wrote: > We have been using tcp proxies (simpleproxy/tcpproxy) to forward ports > from our firewall to internal machines. Recently I have changed this > setup to regular iptables port forwarding. My understanding is that > since tcp proxies are daemons that accept connections from the > Internet and make connections to internal IPs, they would be a lot > slower than iptables (kernel-level routing?). Are there any advantages > to running tcp proxies instead of using port forwarding?
That's a hard question in general. One thing that a "TCP proxy" does is to ACK packets as soon as they get to the router, rather than when they reach their endpoint. This is a desirable property if your gateway forwards to a high-throughput but also high-latency link (satellite for example). It does break TCP semantics though. TCP layer proxies are also able to insulate your network from "broken TCP packets". The problem is that unless you run a well-written TCP proxy, you then open up your firewall to attack. If you're just using this to forward to SSH, then I'd be using packet-forwarding. If it's web, I'd probably run Squid or similar in front of your web-server. But straight "TCP proxies" don't offer that many benefits on their own unless you have very specialised needs (assuming you keep your kernels patched on the machines in your network). HTH, James. -- "Now, there are no problems – only opportunities. However, this seemed to be an insurmountable opportunity." - http://www.surfare.net/~toolman/temp/diagram.html
signature.asc
Description: This is a digitally signed message part
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
