I think the original post was ,of course not intended, misleading about how the owner was using the word "Proxy". A "Proxy" usually is used in the meaning " someone of something, standing IN for another party that is not directly addressable, <NAT> would be one proxy. I believe, I was in the mind frame that the post was questioning is it, would be feasible to have the IPF-Bridge firewall make connections for him on his behalf and not merely just pass ,unmodified, the original packet if it matched a rule in the FILTER.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jefferson Ogata Sent: Wednesday, June 12, 2002 6:42 PM To: IP Filter Subject: Re: FTP Proxy with IPF 3.4.28 Clayton Fiske wrote: > On Wed, Jun 12, 2002 at 02:45:30AM -0400, Jefferson Ogata wrote: > >>The FTP proxy doesn't theoretically require an IP address. It just sits inline >>and adds rules as it observes PORT commands. It may not work, but there's no >>reason it couldn't work theoretically in a bridge configuration. >> >>There's no real reason NAT couldn't serve a limited function in a bridge >>configuration as well. Just because an address gets translated doesn't mean >>that the resulting address must reside on the firewall. It just needs to have >>arp in place so it gets routed back. Again, I'm talking theory here, not practice. > > > I think this is all just a matter of semantics. In fact, NAT and > proxies do require an IP address. They just don't require it to be > assigned to an interface on the firewall. But if you're going to > add an arp entry pointing it at the firewall anyway, then for the > purposes of NAT and proxy the firewall does have an IP. It just > doesn't respond directly to it. > > But this is all just splitting hairs. I don't think it's splitting hairs. NAT is a completely different function from what the IP Filter FTP proxy does when it is not asked to perform address translation. In non-translating mode, the FTP proxy is simply a filter rule engine. As for arp, I did not say that the arp entry should point at the firewall; I said only that arp needs to be in place. With the firewall in bridging mode, this means that the arp for the source address must point to a host on the other side of the bridge. Even if, however, you do point arps at the firewall's interfaces, that does not mean the firewall has an IP. If the firewall has an IP, that means you can address services bound by the firewall's bind() call using that IP, and arp by itself doesn't accomplish this at all. It is perhaps, semantics, but it is definitely not splitting hairs. -- Jefferson Ogata <[EMAIL PROTECTED]> NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]>
