Re: squid as relay, or plug-gw

From: Joe Abley <>
Date: Sun, 31 May 1998 23:01:29 +1200 (NZST)


On Sun, 31 May 1998, Michael Samuel wrote:

> I assume that's what plug-gw does. Sorry, I haven't tried it before, as I
> run an ISP setup, not a firewall setup. Personally, (as somebody who's
> just started tinkering with socket() and freinds) I'd try to write a
> program that basicly finds out where the packets are going, and connects
> to that server, then literally acts as a simple transparent proxy between
> the connections.

Plug-gw is a utility supplied with the TIS firewall toolkit.

Plug-gw is not transparent. Plug-gw presents a single listening port on a
single interface which, once a client is connected, will be "plugged"
through to another port on another interface on another machine.

The normal application is to have a world-reachable port on a bastion
host to which hosts in the world can connect - and have that connection
piped through to an internal machine which is not otherwise

> But, then again, that's basicly what IP masquerading does, except only for
> services that I run the daemon on, and it won't work for ftp, irc, ping...

Network Address Translation (NAT) will happily handle protocols based on
UDP, and TCP-based protocols with stream-level negotiation of
ports/addresses as long as the implementation can handle payload
translation. Most commercial NAT implementations (e.g. Cisco IOS,
Checkpoint Firewall-1, SunScreen) will do a certain degree of payload
translation. They usually fall down on non-trivial translations like those
required for SNMP.

"IP masquerading" is a NAT facility built into the linux kernel. It does
no payload translation.

IRC is based on TCP, and should work I would have thought - except that
some ircservers may refuse connections since the apparent source
port/address will not resolve to a meaningful username (unless you're
running a hacked identd on your NAT box).

You might want to look at socks5 - socksifying squid is pretty trivial.
Socks5 will support TCP- and UDP-based protocols, and will also handle
pings and traceroutes.

For IRC, I believe that the socks5 toolkit comes with an ident capability
that works quite nicely - as client sessions through a socks5 daemon are
authenticated, the socks5 host has all the information required to make a
real-looking ident reply. This is just from some vague memories, however.
I haven't played with socks for quite a while. Your mileage may vary.


Joe Abley <>      Tel +64 9 912-4065, Fax +64 9 912-5008
Network Architect, CLEAR Net            
Received on Sun May 31 1998 - 04:14:06 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:40:31 MST