[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fwtk-users
Subject:    Re: plug-gw for unknown destination
From:       Michel Bardiaux <mbardiaux () peaktime ! be>
Date:       2001-02-28 9:39:57
[Download RAW message or body]

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

Ted Keller wrote:
 > 
 > Zakharov,
 > 
 > plug-gw is a many to one proxy - not a one to many or a many to many.
 > 
 > If your application needs to connect to many hosts - you may want to look
 > at socksifying the application and using a socks daemon for that purpose.
 > See www.socks.nec.com.
 > 
 > ted keller
 > 
Slight amendment: with the "-ssl" option, plug-gw *can* be used as a
one-to-many proxy *provided* the client application uses HTTP and
supports HTTP proxying. Web browsers do that, of course, but also wget,
apt (on Linux Debian), maybe others.

If the client does not so behave, it is relatively easy, starting from
an inetd or xinetd source, to write a relaying application translating
connections to known (I mean in a config file) ports, into connections
to outside host/port, using plug-gw on port 443, which you need anyway
for https.

As a matter of fact, it would be a good thing to have a way of
controlling "plug-gw -ssl": lists of allowed and forbidden destination
hosts/ports, and option to forbid non-ssl sessions. HTTPS support can
hardly be disabled, but once it's there, it is %&#@ easy for internal
users to install tunnels for protocols ranging from nuisance (napster)
through dangerous (IRC with some of these Wintel clients that actually
export every hard or network drive) to malicious (BackOrifice). Anyone
knows of such a patch, or working on one?

Greetings.
-- 
Michel Bardiaux
Peaktime Belgium S.A.  Rue Margot, 37  B-1457 Nil St Vincent
Tel : +32 10 65.44.15  Fax : +32 10 65.44.10

[prev in list] [next in list] [prev in thread] [next in thread]