[551] in linux-net channel archive
Transparent application-level gateways
daemon@ATHENA.MIT.EDU (Julio Sanchez)
Wed Jun 21 05:21:40 1995
To: gmv-gw-lists-linux-net@gmv.es
From: jsanchez@gmv.es (Julio Sanchez)
Date: 21 Jun 1995 07:29:23 GMT
Now we have blocking and forwarding filters and masquerading. As far as
I know there is only one piece missing: kernel support for application-
level gateways. In case it is not clear what I mean:
- You put a host along the default route (the gateway) for some
network.
- You start a client application from some host in that network
that connects to some remote host
- The packets, even if their destination address is for
none of the gateway addresses are captured and passed
upstream.
- An application running in the gateway then does the right
thing (depending on what we are trying to achieve), possibly
connecting to the real destination on behalf of the requestor.
This has several applications:
- Firewalls that use application level gateways (TIS' Gauntlet
is but one example) transparently. Currently, you can use
the TIS firewall toolkit but unless you modify your clients,
the gateway is not transparent. This may be impossible.
- Transparent caching servers for HTTP, FTP, etc. You can do
some of this with, say, the CERN httpd proxy, but all clients
must be configured to do so. If you have a large network,
unless you are firewalling many clients will not use the cache,
diminishing its effectiveness.
I have not fully studied the way to do it and I guess I will not know
what is the right way to do it (i.e. overloading the blocking firewall,
overloading the forwarding firewall, just doing it for everything,
implications of the ability to generate packets from bogus addresses and
whether this requires the application to run as root under certain
circumstances, etc.) until I actually do it.
Before I spend any more time on this, is there anyone doing or planning
to do it?
Julio
--
Julio Sanchez, GMV SA, Isaac Newton 11, PTM Tres Cantos, E-28760 Madrid, Spain
Ph. +34 1 807 21 85 | jsanchez@gmv.es | Traveller, there is no
Fax +34 1 807 21 99 | jsanchez%gmv.es@Spain.EU.net | path; paths are made by
Telex 48487 GMEV E | jsanchez@esegi.es | walking (A. Machado)
