Re: transparent-proxy

Julio Sanchez (jsanchez@esegi.es)
27 May 1996 09:54:10 +0200


In article <199605252004.WAA07564@wildsau.idv.uni-linz.ac.at> Herbert Rosmanith <herp@wildsau.idv.uni-linz.ac.at> writes:

> but can't I do the same by using the ip-masquerading option ?
> for telnet, I can achieve the same results with masquerading.
> for httpd and ftp this would make sense, since their requests
> can be cached (allthough most http/ftp clients have proxy-support?)
> are there other possibilities for usage ?

>From a security point of view, a filtering rule that allows outgoing
TCP requests (SYN without ACK) plus packets with the ACK bit set in
either direction is not much worse than SOCKS or the plug-gw in the
TIS FWTK and Gauntlet or similar generic TCP relays. Let's take
address hiding and masquerading out of the picture, since they are
rather orthogonal to the main security issue.

So you can use either technique. There are two schools of thought
now. Those who think that it is smart to mix packet filtering with
proxies and those who don't. I happen to be closer to the second
school of thought. By mix above I mean letting some services through
by packet filters and some through proxies. This would be a parallel
setup, instead of a serial setup where you have to meet both the
filters and proxies rules to get through.

Proxies really shine when you want to do complex filtering on
application data. Examples are strong authentication,
permitting/denying operations at the application level such as you can
GET but you can't PUT, filtering constructions out of HTML pages,
detailed logging, etc.

Also in some cases the protocols may be so convoluted that
implementing a module for them in the kernel becomes problematic. In
this case, an application-level gateway may be easier to write, debug
and prove secure.

If you belong to the first school of though, using proxies for letting
simple protocols through is overkill. Packet filters have lower
latency and less overhead. You decide. But now you have the choice.

And, of course, caching is also an option as you point out.

BTW, I am running the new transparent proxy facility using the proxies
of a commercial proxy-based firewall. I only needed minor changes to
the kernel. It has been running since Friday and seems OK. So I have
abandoned my old code (an older version of which was available at
ftp.esegi.es) and its README file will be updated to reflect that I
consider it deprecated. Good job, Willy and Jos.

Julio