From owner-freebsd-questions@FreeBSD.ORG Mon Feb 2 10:05:13 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C941616A4CE for ; Mon, 2 Feb 2004 10:05:13 -0800 (PST) Received: from mta10.adelphia.net (mta10.adelphia.net [68.168.78.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id D5BC843D6D for ; Mon, 2 Feb 2004 10:04:56 -0800 (PST) (envelope-from Barbish3@adelphia.net) Received: from barbish ([68.169.105.190]) by mta10.adelphia.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP id <20040202180506.DBQC9070.mta10.adelphia.net@barbish>; Mon, 2 Feb 2004 13:05:06 -0500 From: "JJB" To: Date: Mon, 2 Feb 2004 13:04:50 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <20040202170226.GA1903@ergo.nruns.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal cc: Jorn Argelo cc: questions@freebsd.org Subject: RE: proxies and firewalls X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Barbish3@adelphia.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Feb 2004 18:05:14 -0000 Thanks for the detailed explanation. The light bulb has turned on in my head. I learn something new all the time on this list. So let me put this in my own words to verify I understand correctly. Lets say I have gateway box running 5 PCs on LAN behind it, with cable dhcp connection to ISP. The gateway box runs IPFILTER firewall and IPNAT to do NAT function. I can discontinue using IPNAT and install an application level proxy server on my gateway box and it will by default intercept all LAN and gateway originating packet traffic destine for the public internet after it's processed by my firewall and handle the bi-directional traffic transparently? -----Original Message----- From: jan.muenther@nruns.com [mailto:jan.muenther@nruns.com] Sent: Monday, February 02, 2004 12:02 PM To: JJB Cc: Jorn Argelo; questions@freebsd.org Subject: Re: proxies and firewalls > I have Lan with private ip address that send packets to > public internet. How does an proxy server solve the private ip > address versus my public ip address problem? Simply through not routing / NATting at all. Instead of just forwarding the packets rewriting the IP headers like a NAT device does, an application layer proxy does the connections to the outside world *INSTEAD* of the client. To use the popular example of HTTP: While a NAT device will just forward and rewrite your query to a server's port 80/TCP and then forward and rewrite the reply according to its connection table, an application layer proxy will do the query *itself*. It will then process the reply, identify whether it looks like HTML that matches its quality/security requirements and then give a friendly reply to the client that originally did the query. Again, the proxy itself plays client on the application layer. This of course means that all outgoing connections are also done with the external IP address of the application level proxy machine. Clear now?