RE: ICP proxy for Firewall

From: Larmour, Jonathan <>
Date: Tue, 21 Oct 1997 12:48:26 +0100

>From: Marc van Selm
>Sent: 21 October 1997 08:31
>Subject: Re: ICP proxy for Firewall
>At 06:50 PM 10/20/97 +0200, wrote:
>This might be very useful but TIS told us UDP is not something they want to
>support. It is possible to set up a "UDP-tunnel" though the FW "but people
>who do this will get on the black list" (Quote from one of the tech's who
>came to set up an initial evaluation system) The main problem (their main
>problem) was that they couldn't keep a good Connection-state. (I think this
>should be possible but requires understanding of the Higher layer protocol
>completed with time-outs)

[] The point with UDP is in fact that it is connectionless, i.e. there
is no connection to know the state of! There are programs that can do
this (udprelay) but only to one specific host (although you could use
different UDP ports on the firewall to do different hosts). In practice,
this isn't really the way to go.

>4) Have an internal proxy which takes care of the "routing"

This sounds like the best approach to me. However I would have it the
other way round to what you imply, and have the real "big" proxy on the
inside, and just a little squid on the outside to field the ICP. This
little squid would be "default no-query". The reason is that the more
traffic that passes through the firewall, the more stuff is parsed by
the firewall software (http-gw?), and this has to be done for every
request, even the cached ones.

So it is much quicker for the user if it is done this way round.

Jonathan L.
Received on Tue Oct 21 1997 - 04:46:06 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:37:19 MST