TCP Server sitting behind a proxy

John La Rooy nospampls.jlr at doctor.com
Tue Feb 11 16:41:18 EST 2003 

On Wed, 12 Feb 2003 00:04:22 +0530
Jeethu Rao <jeethur at sancharnet.in> wrote:

> This question is not really Pythonic, But since the
> thing is written in Python (without anything higher
> than the socket module), and since there are a lot of 
> network coders on c.l.py, I thought of asking it in here.
> 
> I'm working on an application which requires to have
> a listening socket on the client side. Most of the traffic
> is upstream from the client to the server, But the server
> sometimes connects to the client's listening socket for event
> notification. I'm supposed to make it work from behind a proxy
> server. I do include the (client's IP address and the listening port 
> as reported by the client to the server upon login) in every 
> downstream packet (From the Server to Client's listening socket)
> 
> So, I think its fairly trivial to write a small proxy which 
> could sniff every incoming packet on its listening port and 
> redirect it to the appropriate client.
> 
> Is this quite ok or is there a better approach to the
> Proxies and Firewalls problem.
> (Yes, I did read the Firewall FAQ before coming up with this question)
>  
> Thanks,
> 
> Jeethu Rao
> 

Are any of these machines going to be connected to the internet? If so you need
to think about security. You probably should anyway incase someone else wants to
use your system on the internet in the future.

For example, with a topology like this

Client1
       \
        \
Client2--o--Proxy/Firewall---Internet---Server
        /
       /
Client3

Suppose Client3 logs into the server. The login packet contains the IP address
of Client3 and the port being listening to. Lets say 192.168.0.33:3333.

Now at a later time, the server wishes to send an event to Client3. This is done
via a message to the proxy like "192.168.0.33:3333 <payload>".

The proxy delivers "<payload>" to 192.168.0.33:3333. Hurray we are done.

Meanwhile in the batcave...

Batman has been watching your traffic and notices these packets from the server to
the proxy and wonders - What will happen if I send "192.168.0.33:137 <exploit>"
to that port.

Sure enough, the proxy delivers "<exploit>" to 192.168.0.33:137. Uh oh.



Once you have figured out a secure way to manage the proxy you need to decide on how
to implement it. If you are the kind of person who leaves a C compiler on the firewall,
you may as well give intruders a Python interpreter too. I don't have a C compiler on
my firewall. So the proxy program would be written in C and copied over. This means
you need to be extra careful - you don't want the proxy itself to be exploited!

John

More information about the Python-list mailing list