From owner-freebsd-security  Thu Mar 26 10:01:39 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id KAA24597
          for freebsd-security-outgoing; Thu, 26 Mar 1998 10:01:39 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from jli.com (jli.com [199.2.111.1])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id KAA24583
          for <freebsd-security@FreeBSD.ORG>; Thu, 26 Mar 1998 10:01:33 -0800 (PST)
          (envelope-from trost@cloud.rain.com)
Received: (qmail 9785 invoked by uid 4); 26 Mar 1998 18:01:02 -0000
Message-ID: <19980326180102.9784.qmail@jli.com>
Received: (qmail 1275 invoked from network); 26 Mar 1998 17:46:48 -0000
Received: from localhost.cloud.rain.com (127.0.0.1)
  by localhost.cloud.rain.com with SMTP; 26 Mar 1998 17:46:48 -0000
To: Open Systems Networking <opsys@mail.webspan.net>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: I need some proxies! :) 
References: <Pine.BSF.3.95.980319225655.27067A-100000@orion.webspan.net> 
In-reply-to: Your message of Thu, 19 Mar 1998 23:02:11 EST.
             <Pine.BSF.3.95.980319225655.27067A-100000@orion.webspan.net> 
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <1271.890934408.1@cloud.rain.com>
Date: Thu, 26 Mar 1998 09:46:48 -0800
From: Bill Trost <trost@cloud.rain.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

On Thu, 19 Mar 1998, Graphic Rezidew wrote:
> Open Systems Networking wrote:
> > I'm about to build a security/internet connection for a local corp.
> > That goes a little something like this:
> > 
> > Internet--->IPFW/NAT server--->proxy server/SKIP--->Internal lan.

> Just out of curiosity, why would you need a proxy on the "inside" of the
> ''firewall''? I could see using it in select situations, but you may be
> walking up a hill that you don't need to.

To keep outsiders from telnetting to the proxy server?

Actually, I was more wondering why you wanted to run NAT.  The only box that
needs to speak to the outside world is the proxy server, so you could just give
it a real IP address.  Put the internal network on net 10.0.0.0, don't put any
routes to net 10 on the firewall, and there is "no way" that an attacker could
send any packets to the inside hosts.

Gee, and that's a reason to keep the packet filter and the proxy separate, too.
You can't do routing restrictions in a single-box implementation.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message