Gauntlet source IP address re-write question

Chris michael cm@rmsbus.com
Sat, 07 Nov 1998 17:34:54 -0800


At 09:08 AM 11/4/98 -0800, esteban wrote:
>Being an APG, the proxy rewrites the source IP address of connections
outgoing
>from the internal protected networks to that of the outside interface of the
>firewall.

Well, sort of.  Actually there are two separate connections open for each
user session:  One from the user on the inside to the firewall and one from
the firewall to the destination.  The application proxy moves the *data*
back and forth between the two connections--not packets.  So the addresses
aren't really rewritten--you're just seeing the outside connection.

>There is an option for "transparency" in Gauntlet, but from what I can tell
>from the documentation, it only works in such a way that the internal
users can
>initiate connections directly to the outside world. Transparency in that case
>provides for not having to reconfigure internal users' machines.

Correct.  The default is to have transparency enabled for the internal
interface, but it can be enabled for other interfaces, too.

>
>The problem is the IP address rewrite.  When I connect to some external host
>with whatever application, I want to see the source IP address as the real IP
>address, not the IP address of the firewall.

Usually people want to do just the opposite.  They want to hide their
internal addresses. 

 Is there such a way to make
>Gauntlet do that? As far as I can tell, the only way is to use the "Plug"
>proxy, which does have an option for passing the source IP address. But there
>is no such option on the telnet proxy setup.

That's what the manual says.  I suppose you might be able to do something
with NAT.  I don't know that you could preserve the actual internal
addresses, but you could, I think, do a one to one mapping of internal
addresses to external.

>
>Raptor, on the other hand, in the last release of their software
implemented a
>whole scale transparency that does accomplish maintaining the source IP
address
>of connections coming across the proxies. Is there really no such comparable
>option in Gauntlet? Can you turn off source IP address re-write?

Since it's not really a re-write of addresses, but a function of how
proxies work, you can't just turn it off.  

You might want to post this question to the gauntlet-user list for a second
opinion.  See http:\\rmsbus.com\gauntlet-user.htm for information.

chris