Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 2 Feb 2004 13:04:50 -0500
From:      "JJB" <Barbish3@adelphia.net>
To:        <jan.muenther@nruns.com>
Cc:        questions@freebsd.org
Subject:   RE: proxies and firewalls
Message-ID:  <MIEPLLIBMLEEABPDBIEGMEJKFHAA.Barbish3@adelphia.net>
In-Reply-To: <20040202170226.GA1903@ergo.nruns.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Thanks for the detailed explanation.
The light bulb has turned on in my head.
I learn something new all the time on this list.

So let me put this in my own words to verify I understand correctly.
Lets say I have gateway box running 5 PCs on LAN behind it,
with cable dhcp connection to ISP.
The gateway box runs IPFILTER firewall and IPNAT to do NAT function.

I can discontinue using IPNAT and install an application level proxy
server on my gateway box and it will by default intercept all LAN
and gateway originating packet traffic destine for the public
internet after it's processed by my firewall and handle the
bi-directional traffic transparently?

-----Original Message-----
From: jan.muenther@nruns.com [mailto:jan.muenther@nruns.com]
Sent: Monday, February 02, 2004 12:02 PM
To: JJB
Cc: Jorn Argelo; questions@freebsd.org
Subject: Re: proxies and firewalls

> I have Lan with private ip address that send packets to
> public internet. How does an proxy server solve the private ip
> address versus my public ip address problem?

Simply through not routing / NATting at all.

Instead of just forwarding the packets rewriting the IP headers like
a NAT
device does, an application layer proxy does the connections to the
outside
world *INSTEAD* of the client.

To use the popular example of HTTP:
While a NAT device will just forward and rewrite your query to a
server's
port 80/TCP and then forward and rewrite the reply according to its
connection table, an application layer proxy will do the query
*itself*. It
will then process the reply, identify whether it looks like HTML
that
matches its quality/security requirements and then give a friendly
reply to
the client that originally did the query.

Again, the proxy itself plays client on the application layer.

This of course means that all outgoing connections are also done
with the
external IP address of the application level proxy machine.

Clear now?

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGMEJKFHAA.Barbish3>