OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: IP transparent proxies (source).

Re: IP transparent proxies (source).


Magossa'nyi A'rpa'd (magbunuel.tii.matav.hu)
Thu, 6 Nov 1997 08:18:42 +0100


[ I guess the last questions are relevant to firewall-wizards ]
>
> I've been building a firewall based on Linux, and I'd like to
> share a couple of neat little things that I've done. They're not
> commercial-quality or anything, but they're pretty slick, and do their
> job well.
A very needed project. I don't have much free cicles, but I am ready to
spend some on it. I have a half-done central configuration tool to
contribute, plus those cicles.
>
> I've been really interested in IP_TRANSPARENT_PROXY stuff, and
> have made two tools that are really useful for taking advantage of it.
> The first is tplug-gw, which is based on the fwtk plug-gw, and can
As you have already noticed, playing with fwtk code not a good idea at all.
It's cool and good but copyrighted.
Reason: We have a _big_ intranet and decided to segment it with firewalls.
The firewall of choice is TIS Gauntlet, partly because fwtk. I thought we
will install Gauntlet to the most important places, and fwtk to the rest,
and get support for both from our local support company. They told me, that
they just can't give support for fwtk because copyright reasons (my reading
of the copyright wasn't exactly that, but it's another issue).
If there would be a free "fwtk", this wouldn't be a problem at all.
Be sure not to do the same mistake which the KDE people did.
> TCP OOB attacks, fragmentation attacks, etc. I'm not including the
> source here yet, because I'm not sure if I'm allowed to redistribute it,
> according to the fwtk license. I might just re-write it from scratch,
> as it isn't too complicated, and then it could be released without
> problems.
Let's rewrite it from scratch. I guess transproxyd would be a nice starting
point. I would like if the configuration would be as TISish as copyrightwize
possible. And If we could implement a way to define the protocols in an
intuitive way, and build the proxies partly with bison and yacc, it could
make building new proxies more easy. (And modified versions, as I guess
every one of us have another view on the http-gw issue. Should it allow only
standard html? What extensions to allow? What to do with java/activex?)
It is also an opportunity to handle policies depending on source _and_
destination. With Gauntlet it is a little tricky to do in a clean way.

Questions:
 I am trying to find problems with the security of bison-generated
        proxyes. I couldn't find one, could someone point out some?
 In what extent it is OK to use the same configuration method as TIS?
 What firewall wizards regard as allowable html?

---
GNU GPL: csak tiszta forrásból



This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:09:48 CDT