Re: Some toughts about Proxy/Firewalls

Brian Godette (bgodette@idcomm.com)
Wed, 10 Dec 1997 14:29:15 -0700


At 11:40 AM 12/9/97 -0800, you wrote:
>Hello,
>
>I'm sorry if some of this has been discussed before, but its not in the list
>archives. As you all know cu doesn't like proxys or firewalls that do

It's in there... several tens of times over and over.

>address translation. What I *think* is happening is this: when cu launches
>it gets its IP address using winsock calls, but the address it gets is the
>internal address. This shouldn't be a problem because the proxy/firewall
>translates this address in the header of each IP packet to an external
>routeable one. The problem (again I *think*) is that cu is also sending the
>IP address in the data portion of the packets, which of course cannot be
>manipulated by the proxy/firewall. This address is the being used somewhere
>else (i.e. the reflector), but because it isn't routeable, the packets will
>never make their way back.
>
>If I'm right and this is monitored by cornell or wp I would like to make a
>petition: let us override the IP address that cu gets when launched. This
>way we can give our external address to cu in advance. I realize that
>getting the external IP is not always easy (i.e. if you have a pool of
>dynamic IP addresses) but at least is something we can control. There are
>not security issues involved because you cannot use an arbitrary address or
>the packets will end up somewhere else :), and you already have the cu ports
>open anyway.

This isn't enough... remember this is a UDP socket, not TCP, so the
firewall/proxy has *no way* of knowing which *internal* system inbound
packets are meant for. It can be rigged to work for exactly one system at
any one time only (which is how the CU-SeeMe IP Masq module under Linux
works). There's any "easier" solution, which I'd have to write, but would
required that your NAT/Proxy system either being Unix or NT/95, not routers.