Firewall Wizards mailing list archives
Re: Gauntlet source IP address re-write question
From: Joseph S D Yao <jsdy () cospo osis gov>
Date: Mon, 9 Nov 1998 11:40:31 -0500 (EST)
This is a Gauntlet specific question, but I would like to hear about other systems too. I am looking at implementing Gauntlet at some sites and have come across a question that I can't easily find an answer for. Being an APG, the proxy rewrites the source IP address of connections outgoing from the internal protected networks to that of the outside interface of the firewall. I.e, if I telnet from an internal machine to some machine on the Internet and do a "who", I will see myself logged in from the external IP address of the firewall. There is an option for "transparency" in Gauntlet, but from what I can tell from the documentation, it only works in such a way that the internal users can initiate connections directly to the outside world. Transparency in that case provides for not having to reconfigure internal users' machines. The problem is the IP address rewrite. When I connect to some external host with whatever application, I want to see the source IP address as the real IP address, not the IP address of the firewall. Is there such a way to make Gauntlet do that? As far as I can tell, the only way is to use the "Plug" proxy, which does have an option for passing the source IP address. But there is no such option on the telnet proxy setup. Raptor, on the other hand, in the last release of their software implemented a whole scale transparency that does accomplish maintaining the source IP address of connections coming across the proxies. Is there really no such comparable option in Gauntlet? Can you turn off source IP address re-write? Maybe I missed something.
Raptor enables wholesale transparency of your network, letting people outside route anything THEY want to anywhere on your network. This is why we don't like it and don't use it. Gauntlet transparency does the same thing, to some degree. (Yes, as I understand it, for telnet, too.) You'll have to decide whether you feel comfortable exposing yourselves like that. -- Joe Yao jsdy () cospo osis gov - Joseph S. D. Yao COSPO/OSIS Computer Support EMT-A/B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies.
Current thread:
- Gauntlet source IP address re-write question esteban (Nov 07)
- Re: Gauntlet source IP address re-write question Inno Eroraha (Nov 09)
- Re: Gauntlet source IP address re-write question Chris michael (Nov 09)
- Re: Gauntlet source IP address re-write question Joseph S D Yao (Nov 09)
- Re: Gauntlet source IP address re-write question Christopher Michael (Nov 09)
- Gauntlet and Transparency questions Steve George (Nov 10)
- Re: Gauntlet and Transparency questions Christopher Nielsen (Nov 11)
- Re: Gauntlet and Transparency questions Rick Murphy (Nov 11)
- Re: Gauntlet and Transparency questions Inno Eroraha (Nov 11)
- Re: Gauntlet and Transparency questions Frederick M Avolio (Nov 11)
- Re: Gauntlet and Transparency questions Chris Michael (Nov 12)
- Re: Gauntlet source IP address re-write question Christopher Michael (Nov 09)
- <Possible follow-ups>
- RE: Gauntlet source IP address re-write question Burgess, John (EDS) (Nov 10)
- Re: Gauntlet source IP address re-write question Dale Lancaster (Nov 10)
- Re: Gauntlet source IP address re-write question Bruce B. Platt (Nov 10)