Firewall Wizards mailing list archives
Re: Transparent vs. Non-transparent AGs/SPFs/whatever
From: "Stephen P. Gibbons" <steve () aztech net>
Date: Thu, 24 Sep 1998 21:44:26 -0700
I've been kicking some ideas around in my head for a while related to transparent application gateways, and since the topic has come up, I thought I'd put them on the table for discussion. Assumptions: 1) AG is the sole path to the "big bad Internet" 2) Primary DNS resolvers are located on the same subnet as client machines. 3) Primary DNS resolvers forward DNS resolution to AG, when they're confused. 4) AG has X number of IP addresses/virtual interfaces assigned to it and configured. 5) I've mostly been thinking in terms of outbound access, inbound shouldn't be that much different, though. Straw-man: 1) Client.local.goodguy.com requests an http connection to www.somesite.com 1A) resolve www.somesite.com via dns.local.goodguy.com 1B) dns.local.goodguy.com can't resolve it, so it gets forwarded to dns.ag.goodguy.com 1C) dns.ag.goodguy.com realizes that the request came from an internal address and: 1C1) reconfigures an available virtual interface 1C2) responds with this newly configured address instead of the A RR for www.somesite.com 1C3) keeps a state table of requests and responses 2) client.local.goodguy.com connects to the A RR that it got back via recursive DNS. 2A) ag.goodguy.com looks at the IP address/subnet that the request came from, 2B) and checks it's state table 2C) and then figures out which external host it should act as a proxy to and proxies. I think that this can be made to work for any/all IP protocols as long as DNS is hit. I think that the DNS limitation can be mitigated with a special TLD eg: 198.182.221.2.ip-address, and even eliminated with a resolver library that understands that it needs to translate all "raw" numeric IP-address requests to the .ip-address domain. This is a straw-man proposal. I expect it to be picked to shreds, and welcome such picking. The ideas mentioned above are mine. If you think you can turn them into a marketable product, please contact me beforehand. If your legal department says "don't contact him", I urge you to reconsider, and at least call to chat. -- Steve
Current thread:
- Transparent vs. Non-transparent AGs/SPFs/whatever Ryan Russell (Sep 23)
- why isn't there a newer linux fw-howto Bárány Sándor (Sep 24)
- Re: why isn't there a newer linux fw-howto Stefan Laudat (Sep 25)
- Re: why isn't there a newer linux fw-howto Kevin Steves (Sep 29)
- RE: why isn't there a newer linux fw-howto Andy Burns (Sep 30)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Woody Weaver (Sep 25)
- <Possible follow-ups>
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Bill_Royds (Sep 24)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Stephen P. Gibbons (Sep 25)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Ryan Russell (Sep 24)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Bill_Royds (Sep 25)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Ryan Russell (Sep 29)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Stephen P. Gibbons (Sep 29)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Ryan Russell (Sep 29)
- why isn't there a newer linux fw-howto Bárány Sándor (Sep 24)