- From: Shel Kaphan <sjk@amazon.com>
- Date: Tue, 23 Jan 1996 23:22:27 -0800
- To: Balint Nagy Endre <bne@bne.ind.eunet.hu>
- Cc: http WG <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
Balint Nagy Endre writes: > Shel Kaphan writes: ... > > For example you could set up externally visible services on ports > > 8000, 8001, 8002, ... and have them all translate down to port 80 (or > > whatever) on the inside of the firewall. ... > > --Shel > Hmm. If a request contains a port number different from the port to which > it's sent, then the server is question should > 1. refuse the request if it isn't acting as proxy > 2. forward it in a usual way, if provides proxy service. ... > Andrew. (Endre Balint Nagy) <bne@bne.ind.eunet.hu> What happens inside a local network doesn't have to be so standardized. As has been pointed out before, though the functionality is similar, gateways provide a different service than proxies. An http server running on a firewall which is intended to provide service to users outside a local network may support services visible on the outside of the firewall that the server's managers would like to be handled in special ways on the inside. ***If I had software that could do this stuff, I'd be using it*** Just because the externally visible request is on port N, doesn't mean the request has to be communicated on port N inside the firewall. If the protocol allowed this information to stay in some part of the request, so that the servers inside the firewall could be standard servers, then the original request could be sent unmolested, even if on a different TCP port. Otherwise, to get a similar effect, the gateway server running on the firewall would have to perform hostname or URL translations or some other similarly hard to manage hack to differentiate between requests to the same host but different ports. I see no reason why a server -- especially one running inside a private net -- would have to check that the port in the request matched the actual TCP port to which it was listening. But since this seems somehow to be a "done deal" it isn't worth arguing about it too much. In fact, I just wasted 15 minutes composing this!
Received on Wednesday, 24 January 1996 00:16:29 UTC