On Mon, 12 Mar 2001, mouss wrote:
> Paul, they don't need to use raw sockets (well, you said "basically", so....).
That's simply the easiest to understand implementation once you get to
wondering how it'd be done. It also has the advantage of being doable in
userland should you wish to play... though the handshaking and frags
require a lot of code.
> I'd say:
> a proxy is said transparent when the user does'nt need to refer to it.
I thought he understood that part of it. ;)
>
> Technically, something redirects the flow to the proxy. That "something" is
> a smart IP stack modification that does that. This is either done "easily"
Or a raw socket ;)
> by handing the traffic to the local transport handler (mostly the TCP stack)
> or by doing NAT based redirection. The former is the simplest and is
> implemented
> in Linux ip filters, BSD ipfw, Gauntlet, and many others. the nat method is
> implemented by ipfilter and others. The advantage of the first method is
> that the
> proxy can retrieve the "real" destination by just a sockname(). while the
Unfortunately NAT doesn't work well for non-well known ports without an
inspection layer, making the complexity high or the functionality low.
You could cover most port 80 stuff trivially with NAT, but it gets more
and more difficult depending on how much application layer stuff is
involved.
> as part of data (such as an http header), but this is not guaranteed.
> Some proxies may implement a "fully transparent" mode where they use the client
> IP address for their requests, but this requires modifications to the
> TCP/UDp stack
Not really, you can spoof the outbound side as easily as the inbound side,
so unless the stack doesn't have SOCK_RAW or an equiv., or the stack
enforces anti-spoofing rules, no stack modification is necessary.
> (simple transparency requires modifications to the IP stack, not the
> TCP/UDP/* parts!).
For completeness, you could also do the same thing at layer 2 and bypass
the normal stack.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
