Firewall Wizards mailing list archives

Re: Transparent vs. Non-transparent AGs/SPFs/whatever

From: "Stephen P. Gibbons" <steve () aztech net>
Date: Thu, 24 Sep 1998 21:44:26 -0700

I've been kicking some ideas around in my head for a while related to
transparent
application gateways, and since the topic has come up, I thought I'd put them
on
the table for discussion.

Assumptions:

1) AG is the sole path to the "big bad Internet"
2) Primary DNS resolvers are located on the same subnet as client machines.
3) Primary DNS resolvers forward DNS resolution to AG, when they're confused.
4) AG has X number of IP addresses/virtual interfaces assigned to it and
configured.
5) I've mostly been thinking in terms of outbound access, inbound shouldn't be
that
much different, though.

Straw-man:
1) Client.local.goodguy.com requests an http connection to www.somesite.com
1A) resolve www.somesite.com via dns.local.goodguy.com
1B) dns.local.goodguy.com can't resolve it, so it gets forwarded to
dns.ag.goodguy.com
1C) dns.ag.goodguy.com realizes that the request came from an internal address
and:
1C1) reconfigures an available virtual interface
1C2) responds with this newly configured address instead of the A RR for
www.somesite.com
1C3) keeps a state table of requests and responses
2) client.local.goodguy.com connects to the A RR that it got back via recursive
DNS.
2A) ag.goodguy.com looks at the IP address/subnet that the request came from,
2B) and checks it's state table
2C) and then figures out which external host it should act as a proxy to and
proxies.

I think that this can be made to work for any/all IP protocols as long as DNS
is hit.  I think
that the DNS limitation can be mitigated with a special TLD eg:
198.182.221.2.ip-address,
and even eliminated with a resolver library that understands that it needs to
translate all
"raw" numeric IP-address requests to the .ip-address domain.

This is a straw-man proposal.  I expect it to be picked to shreds, and welcome
such picking.

The ideas mentioned above are mine.  If you think you can turn them into a
marketable
product, please contact me beforehand.  If your legal department says "don't
contact him",
I urge you to reconsider, and at least call to chat.

--
Steve

Current thread:

Transparent vs. Non-transparent AGs/SPFs/whatever Ryan Russell (Sep 23)
- why isn't there a newer linux fw-howto Bárány Sándor (Sep 24)
  - Re: why isn't there a newer linux fw-howto Stefan Laudat (Sep 25)
  - Re: why isn't there a newer linux fw-howto Kevin Steves (Sep 29)
    - RE: why isn't there a newer linux fw-howto Andy Burns (Sep 30)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Woody Weaver (Sep 25)
- <Possible follow-ups>
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Bill_Royds (Sep 24)
  - Re: Transparent vs. Non-transparent AGs/SPFs/whatever Stephen P. Gibbons (Sep 25)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Ryan Russell (Sep 24)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Bill_Royds (Sep 25)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Ryan Russell (Sep 29)
  - Re: Transparent vs. Non-transparent AGs/SPFs/whatever Stephen P. Gibbons (Sep 29)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Ryan Russell (Sep 29)