On Sat, Aug 21, 1999 at 01:00:05AM -0700, you wrote:
> On Thu, Aug 19, 1999 at 04:39:42PM -0600, Mark Arroyo wrote:
> <SNIP>
> >
> > Transparency is not enabled on either cards
> >
> <SNIP>
> >
> > I do have almost total functionality except that I cannot seem to configure
> > the firewall to allow my users to check other POP3 email accounts besides
> > the main POP3(ISP) account we have. With sending up mail to our ISP mail
> > sever via smtp I had to disable transparency on the inside adapter to be
> > able to enter an external mail server. I have tried to add plug proxies to
> > take care of the different newsgroup servers that my users need to get to
> > but this does not seem to work. I have also tried to use Plug proxies to for
> > the other POP3 accounts with no success. I would appriciate any help at all.
> > Let me know if you have any other questions about my set up.
> >
>
> OK, your first problem is that you don't have transparency enabled on the
> inside interface. When you DON'T have transparency you need a couple of
> thing to get to the outside world:
> 1) a client program that understands that there is a proxy in the way
> like a web browser
> 2a) a proxy on the firewall which understands that the request from
> the client will be to connect to a place on the outside e.g. the ftp
> proxy
> 2b) a proxy on the firewall which points to one place only and merely
> forwards/returns any traffic it sees to that place e.g. a plug proxy
>
> Not sure what you mean about the email since SMTP is a proxy on Gauntlet -
> hence you deliver to the Gauntlet system and it delivers externally: hack
> the sendmail.cf if you want to use a smarthost.
>
> When your users use their news clients how do they connect to the external
> news server? If they put the external IP of the news server how do they get
> there since you have turned transparency off? In your current config they
> cannot get to the otherside without using a client that understands there is
> a proxy in the way. So you have to either turn transprency on or assign the
> inside interface multiple IP's and put a plug to connect to the different
> news servers - the users then connect to the inside IP for the news server
> they want.
>
> POP3 is the same except that the POP3 proxy will allow access to multiple
> mail servers when transprency is on IF you alter the gauntlet.conf. In
> version 4.2/5 by default it turns on authentication even if you leave the
> destination blank - to stop this you have to alter the bit of gauntlet.conf
> that turns authentication on for the POP3 proxy, it normally has all in the
> field just delete this.
>
> Hope this helps,
>
> Steve
I've prolly come in in the middle of this thread, but you've possible missed a
method of connecting through Gauntlet and that is packet screening - ie. under
screening in the GUI or using "authenIP: " type lines in your netperm-table -
dunno if this will help in this particular situation tho (requires a reboot of
the system). This puts the kernel into packet filter mode and applies these
rules before anything else (such as proxies), therefore forwarding packets
from one interface and out another.
James
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
