From owner-freebsd-ipfw Fri Feb 9 16:26:56 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from karon.dynas.se (karon.dynas.se [192.71.43.4]) by hub.freebsd.org (Postfix) with SMTP id 96EB937B67D for ; Fri, 9 Feb 2001 16:26:38 -0800 (PST) Received: (qmail 14819 invoked from network); 10 Feb 2001 00:26:36 -0000 Received: from spirit.sto.dynas.se (HELO spirit.dynas.se) (172.16.1.10) by 172.16.1.1 with SMTP; 10 Feb 2001 00:26:36 -0000 Received: (qmail 26406 invoked from network); 10 Feb 2001 00:26:34 -0000 Received: from explorer.rsa.com (10.81.217.59) by spirit.dynas.se with SMTP; 10 Feb 2001 00:26:34 -0000 Received: (from mikko@localhost) by explorer.rsa.com (8.11.1/8.11.1) id f1A0QVs09860; Fri, 9 Feb 2001 16:26:31 -0800 (PST) (envelope-from mikko) Date: Fri, 9 Feb 2001 16:26:31 -0800 (PST) From: Mikko Tyolajarvi Message-Id: <200102100026.f1A0QVs09860@explorer.rsa.com> To: cykyc@yahoo.com Cc: freebsd-ipfw@freebsd.org Subject: Re: FreeBSD Application firewall w/o ip forwarding enabled Newsgroups: local.freebsd.ipfw References: <200102091844.f19Iifg06092@iguana.aciri.org> <20010209195412.27578.qmail@web4501.mail.yahoo.com> X-Newsreader: NN version 6.5.6 (NOV) Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In local.freebsd.ipfw you write: >> use that (i assume the reason you do not want >> forwarding >> is to avoid remapping addrsses ?) >It's not to avoid remapping addresses, but to try and >use the firewall as an application firewall instead of >a packet filter firewall. The running application on >the firewall would be in charge of receiving whatever >type of information on the external interface and then >redirecting it to the internal interface, instead of >simple NAT'n and IP forwarding, which is at the >network level. I don't know exactly what you are trying to accomplish, but the TIS fwtk is a pure application level proxy toolkit. Maybe that will be enough? If the firewall is supposed to look like it is forwarding packets, but transparently filters them through application proxies, then you can use ipfw rules to forward allowed traffic to your proxies, and deny everything else. I have written programs that do this, and they work just fine, but are not available as freeware... Hmm... it looks like someone has made patches for FWTK to handle transparent proxying - see . Haven't tried it, though. Also, the Juniper firewall toolkit looks like it might be what you are looking for, but I haven't tried that either. $.02, /Mikko -- Mikko Työläjärvi_______________________________________mikko@rsasecurity.com RSA Security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message