Proxies

From securityrouter.org, an OpenBSD-based firewall
Revision as of 23:24, 4 March 2012 by Erik (talk | contribs) (Created page with "Some protocol may need to be assisted by a proxy in order to work properly through a NAT firewall. It's due to historical design flaws in these protocols that dates back before N...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Some protocol may need to be assisted by a proxy in order to work properly through a NAT firewall. It's due to historical design flaws in these protocols that dates back before NAT became common use.

FTP-proxy

The FTP-proxy addresses a issue with outbound FTP connections. If the clients uses active FTP transfers (which should be considered bad and deprecated), it will ask the server to connect back to the client to send data in a separate data connection (instead of the other way around). That isn't a problem if the client isn't behind a NAT firewall and has its on public IP-address. If the client is behind a NAT firewall there are the two major technical issues.

  • The client only knows its internal IP-address, and asks the server to connect back to it (eg. 10.0.0.31:12345).
  • The firewall isn't configured to forward external traffic on port 12345 to the client's FTP client.

The ftp-proxy solves this issue by intercepting the outbound FTP connection, replaces the IP-address with the external IP-address and opens up temporary port forwarding. This proxy should ONLY be configured on local interfaces. But allowing a FTP client the power to open up various ports in the firewall is not in compliance with good security practices.

PPTP-proxy

The PPTP-proxy addresses a issue where multiple clients behind a NAT firewall tries to connect to the same external PPTP server. PPTP and GRE were never designed to work through a NAT firewall. GRE is considered a "three tuple" protocol by most NAT firewalls (from/to/GRE), unlike TCP/UDP which are "five tuple" and therefore identifies a connection by five unique identifiers (from/port/to/port/protocol). So two connection to the same host may be identified by different port numbers and therefor sent to different internal hosts using the firewalls state table.

The pptp-proxy solves this issue by intercepting the outbound PPTP (port 1723) connection, changes the call id to be unique for and routes the GRE traffic according to it's own state table based on the call id (four tuple). This proxy should ONLY be configured on local interfaces.