Firewall Wizards mailing list archives
Re: Gauntlet source IP address re-write question
From: Chris michael <cm () rmsbus com>
Date: Sat, 07 Nov 1998 17:34:54 -0800
At 09:08 AM 11/4/98 -0800, esteban wrote:
Being an APG, the proxy rewrites the source IP address of connections
outgoing
from the internal protected networks to that of the outside interface of the firewall.
Well, sort of. Actually there are two separate connections open for each user session: One from the user on the inside to the firewall and one from the firewall to the destination. The application proxy moves the *data* back and forth between the two connections--not packets. So the addresses aren't really rewritten--you're just seeing the outside connection.
There is an option for "transparency" in Gauntlet, but from what I can tell from the documentation, it only works in such a way that the internal
users can
initiate connections directly to the outside world. Transparency in that case provides for not having to reconfigure internal users' machines.
Correct. The default is to have transparency enabled for the internal interface, but it can be enabled for other interfaces, too.
The problem is the IP address rewrite. When I connect to some external host with whatever application, I want to see the source IP address as the real IP address, not the IP address of the firewall.
Usually people want to do just the opposite. They want to hide their internal addresses. Is there such a way to make
Gauntlet do that? As far as I can tell, the only way is to use the "Plug" proxy, which does have an option for passing the source IP address. But there is no such option on the telnet proxy setup.
That's what the manual says. I suppose you might be able to do something with NAT. I don't know that you could preserve the actual internal addresses, but you could, I think, do a one to one mapping of internal addresses to external.
Raptor, on the other hand, in the last release of their software
implemented a
whole scale transparency that does accomplish maintaining the source IP
address
of connections coming across the proxies. Is there really no such comparable option in Gauntlet? Can you turn off source IP address re-write?
Since it's not really a re-write of addresses, but a function of how proxies work, you can't just turn it off. You might want to post this question to the gauntlet-user list for a second opinion. See http:\\rmsbus.com\gauntlet-user.htm for information. chris
Current thread:
- Gauntlet source IP address re-write question esteban (Nov 07)
- Re: Gauntlet source IP address re-write question Inno Eroraha (Nov 09)
- Re: Gauntlet source IP address re-write question Chris michael (Nov 09)
- Re: Gauntlet source IP address re-write question Joseph S D Yao (Nov 09)
- Re: Gauntlet source IP address re-write question Christopher Michael (Nov 09)
- Gauntlet and Transparency questions Steve George (Nov 10)
- Re: Gauntlet and Transparency questions Christopher Nielsen (Nov 11)
- Re: Gauntlet and Transparency questions Rick Murphy (Nov 11)
- Re: Gauntlet and Transparency questions Inno Eroraha (Nov 11)
- Re: Gauntlet and Transparency questions Frederick M Avolio (Nov 11)
- Re: Gauntlet and Transparency questions Chris Michael (Nov 12)
- Re: Gauntlet source IP address re-write question Christopher Michael (Nov 09)
- <Possible follow-ups>
- RE: Gauntlet source IP address re-write question Burgess, John (EDS) (Nov 10)
- Re: Gauntlet source IP address re-write question Dale Lancaster (Nov 10)