Status of Bugzilla #1153
Simon Vallet
svallet at genoscope.cns.fr
Wed Feb 22 09:51:17 EST 2006
On Wed, Feb 22, 2006 at 09:41:52AM +1100, Darren Tucker wrote:
> Simon Vallet wrote:
> >I *definitely* think I'm missing something now ;-) How on earth would you
> >route
> >every packet destined to the outside through the bastion without
> >specifying that bastion in a default route (be it static or dynamic) ?
>
> That's the point: in such a configuration you don't route any *packets*
> to the outside at all. Connections get proxied at the TCP or
> application level, eg via SOCKS, tcprelay, web proxy, mail gateway or
> similar on the bastion host (which typically has IP forwarding disabled).
>
> IP packets destined for addresses not in the internal network result in
> an ICMP network-unreachable.
Interesting -- I never thought of implementing such a solution, as
application-level proxying and filtering at the gateway seemed enough.
This is really nice, I'll give it a try sometime.
More information about the openssh-unix-dev
mailing list