Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 9 Feb 2001 16:26:31 -0800 (PST)
From:      Mikko Tyolajarvi <mikko@dynas.se>
To:        cykyc@yahoo.com
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: FreeBSD Application firewall w/o ip forwarding enabled
Message-ID:  <200102100026.f1A0QVs09860@explorer.rsa.com>
References:  <200102091844.f19Iifg06092@iguana.aciri.org> <20010209195412.27578.qmail@web4501.mail.yahoo.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
In local.freebsd.ipfw you write:

>> use that (i assume the reason you do not want
>> forwarding
>> is to avoid remapping addrsses ?)

>It's not to avoid remapping addresses, but to try and
>use the firewall as an application firewall instead of
>a packet filter firewall.  The running application on
>the firewall would be in charge of receiving whatever
>type of information on the external interface and then
>redirecting it to the internal interface, instead of
>simple NAT'n and IP forwarding, which is at the
>network level.

I don't know exactly what you are trying to accomplish, but the TIS
fwtk is a pure application level proxy toolkit.  Maybe that will
be enough?

If the firewall is supposed to look like it is forwarding packets, but
transparently filters them through application proxies, then you can
use ipfw rules to forward allowed traffic to your proxies, and deny
everything else.  I have written programs that do this, and they work
just fine, but are not available as freeware...

Hmm... it looks like someone has made patches for FWTK to handle
transparent proxying - see <http://www.fwtk.org/>.  Haven't tried it,
though.

Also, the Juniper firewall toolkit <http://www.obtuse.com/>; looks like
it might be what you are looking for, but I haven't tried that either.

   $.02,
   /Mikko
-- 
 Mikko Työläjärvi_______________________________________mikko@rsasecurity.com
 RSA Security


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?200102100026.f1A0QVs09860>