[GTALUG] Routing and/or Proxying
ted leslie
ted.leslie at gmail.com
Wed Sep 7 00:32:20 EDT 2016
If you and the other end have full IPv6 access, then you can get a nice
IPv6 block and the firewall can accept that block. As long as the block is
yours only,
and your not worried about someone being able to spoof at or close to your
dest. point, this would solve it with out addition of extra layer of
openVpn,
or ipsec issues with openSwan and "maybe" compatible routers (10-18 years
ago this drove me nuts, but maybe its better now). You could also buy a
movable ipv4 class,
but if you were coming from a few POP's best to get a few ipv6 classes,
give them to peer point FW, and have them config it once and be done with
it. But if you
set up at an additional pop, then your waiting for another admin FW request
to occur on their time frame. In this later case, openSwan is probably only
easy solution,
provided peering FW is dead on reliable with openSwan road warrior
configs, say with 509 certs, etc.
-tl
On Sat, Sep 3, 2016 at 11:05 AM, Giles Orr via talk <talk at gtalug.org> wrote:
> I think I'm having trouble finding an answer to my questions largely
> because I don't fully know how to express them, so I'm going to try to
> do so here and see if another member of this list can take my English
> language fuzzy logic and turn it into question(s) that can more easily
> be answered ...
>
> I'm running application servers that have to make queries to servers
> behind a firewall. The firewall (not in my control) has to be
> configured to admit IP addresses. Getting addresses added to the
> firewall can be slow. So it seems to me the best way to do this would
> be to set up a couple of proxy servers with fixed/known IPs so that
> the application servers (fluctuating headcount and IPs) could make
> their requests through the proxy servers - which are known to the
> firewall.
>
> This makes sense in my head so far. But here's the problem: I'd like
> to send all network traffic from the application servers through the
> proxy servers, regardless of content, port, destination, anything.
> But in saying that, it begins to sound more like "routing" than
> "proxying", and enforcing this seems like it might be tricky on the
> open internet. And authentication of some sort would seem to be
> needed to prevent bad actors using the proxy to access stuff behind
> the firewall.
>
> A VPN is a possibility, but not one I'm enthusiastic about: I tackled
> OpenVPN a few months back, and after a day and a half and very little
> progress my brains started to slide out my ears. But if that's what I
> need to do, I'll get back on it.
>
> Thanks!
>
> --
> Giles
> http://www.gilesorr.com/
> gilesorr at gmail.com
> ---
> Talk Mailing List
> talk at gtalug.org
> https://gtalug.org/mailman/listinfo/talk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20160907/0bd0696e/attachment.html>
More information about the talk
mailing list