Re: Transparent vs. Non-transparent AGs/SPFs/whatever

["Ryan Russell" <ryanr () sybase com>]

That doesn't reall answer the question I asked.  Sure, if I know
ahead of time that my user wants to telnet to port 2300, I can
configure my firewall to route traffic with a destination port
of 2300 through my telnet proxy app, no problem.  But What
if I don't know ahead of time what port people will be telnetting
to?

(this is assuming I want to proxy more than 1 protocol... if I'm
only allowing telnet out, then the telnet proxy could handle everything.)

And what if a different one of my users want to do HTTP to
port 2300 on a different host on the Internet?

(Again, the assumtion is that the telnet proxy is smart enough to
know that HTTP doesn't look like a proper telnet...  if a telnet
proxy lets HTTP through think that it's just a weird telnet session,
then that's just another circuit-level proxy as far as I'm concerned.)

                         Ryan

P.S. BTW, I think I probably already know the answer to this
thread Ive started, I'm just hoping I'm wrong.






> AG's run transparently if they are are the one the pip between protected
> network (inside) and unprotected Internet (outside).
> All default routes of inside network, whether default gateway or router
> defaults point to inside NIC of firewall.
> For your example, thee firewall rules then say if that if any traffic
comes
> in from inside NIC for port 2300 it will be proxied as telnet. No other
> service will be allowed on port 2300.
> Similarily for external traffic. Since there are 2 sessions on firewall
for
> each connection (from inside to firewall, from firewall to external
> server), you can even change the port on the way through or even change
the
> protocol (always change ftp to ftp-PASV running under http).
> You are not restricted to carrying the same packets on each side of the
> firewall.