Firewall Wizards mailing list archives

Re: Gauntlet source IP address re-write question

From: Chris michael <cm () rmsbus com>
Date: Sat, 07 Nov 1998 17:34:54 -0800

At 09:08 AM 11/4/98 -0800, esteban wrote:

Being an APG, the proxy rewrites the source IP address of connections

outgoing

from the internal protected networks to that of the outside interface of the
firewall.


Well, sort of.  Actually there are two separate connections open for each
user session:  One from the user on the inside to the firewall and one from
the firewall to the destination.  The application proxy moves the *data*
back and forth between the two connections--not packets.  So the addresses
aren't really rewritten--you're just seeing the outside connection.

There is an option for "transparency" in Gauntlet, but from what I can tell
from the documentation, it only works in such a way that the internal

users can

initiate connections directly to the outside world. Transparency in that case
provides for not having to reconfigure internal users' machines.


Correct.  The default is to have transparency enabled for the internal
interface, but it can be enabled for other interfaces, too.


The problem is the IP address rewrite.  When I connect to some external host
with whatever application, I want to see the source IP address as the real IP
address, not the IP address of the firewall.


Usually people want to do just the opposite.  They want to hide their
internal addresses. 

 Is there such a way to make

Gauntlet do that? As far as I can tell, the only way is to use the "Plug"
proxy, which does have an option for passing the source IP address. But there
is no such option on the telnet proxy setup.


That's what the manual says.  I suppose you might be able to do something
with NAT.  I don't know that you could preserve the actual internal
addresses, but you could, I think, do a one to one mapping of internal
addresses to external.


Raptor, on the other hand, in the last release of their software

implemented a

whole scale transparency that does accomplish maintaining the source IP

address

of connections coming across the proxies. Is there really no such comparable
option in Gauntlet? Can you turn off source IP address re-write?


Since it's not really a re-write of addresses, but a function of how
proxies work, you can't just turn it off.  

You might want to post this question to the gauntlet-user list for a second
opinion.  See http:\\rmsbus.com\gauntlet-user.htm for information.

chris

Current thread:

Gauntlet source IP address re-write question esteban (Nov 07)
- Re: Gauntlet source IP address re-write question Inno Eroraha (Nov 09)
- Re: Gauntlet source IP address re-write question Chris michael (Nov 09)
- Re: Gauntlet source IP address re-write question Joseph S D Yao (Nov 09)
  - Re: Gauntlet source IP address re-write question Christopher Michael (Nov 09)
    - Gauntlet and Transparency questions Steve George (Nov 10)
    - Re: Gauntlet and Transparency questions Christopher Nielsen (Nov 11)
    - Re: Gauntlet and Transparency questions Rick Murphy (Nov 11)
    - Re: Gauntlet and Transparency questions Inno Eroraha (Nov 11)
    - Re: Gauntlet and Transparency questions Frederick M Avolio (Nov 11)
    - Re: Gauntlet and Transparency questions Chris Michael (Nov 12)
- <Possible follow-ups>
- RE: Gauntlet source IP address re-write question Burgess, John (EDS) (Nov 10)
- Re: Gauntlet source IP address re-write question Dale Lancaster (Nov 10)

(Thread continues...)