NON-PROXY Implementaiton

Discuss and get help to implement a CacheGuard Gateway into your networks
Post Reply
jdolence
Posts: 2
Joined: 29 Jun 2017 14:28

NON-PROXY Implementaiton

Post by jdolence »

I have a very special use case where I need to configure CacheGuard for inspection only.
Is it possible for CacheGuard OS to:
  • 1. Act Transparently - traffic will be steered to the device.
    2. NO DNS resolution
    3. NO caching
    4. NO HTTP protocol inspection
    5. Forward received traffic from inside interface to an outside interface without NAT
    6. Perform URL inspection & allow a local blacklist to be maintained
    7. Perform AV inspection perhaps using dansguardian AV
User avatar
david
Posts: 163
Joined: 08 Aug 2015 20:38

Re: NON-PROXY Implementaiton

Post by david »

Hi,

Thank you for your post. In answer to your questions:

- You can implement CG as a transparent Gateway. Refer to http://www.cacheguard.net/doc/guide/transparent.html for further information.
- The embedded DNS can be disabled but your own external DNS.
- The caching can be disabled.
- HTTP protocol is only inspected in reverse (proxy) mode (to protect Web servers) so there is no protocol inspection in transparent forwarding mode (but URL inspection only).
- In transparent mode, incoming Web requests from the internal interface of CG are transparently intercepted by the embedded proxy so outgoing Web requests are sent using the external IP address of CG (so you'll get a kind of NAT).
- You can allow or deny URLs using your own regular expressions and list of domain names and URLs.
- CG embeds it own AV (based on ClamAV) so you don't need to connect it to an external AV.

I hope that my answers are clear enough. If you need clarifications, please don't hesitate to posts your questions here.

Best Regards,
David Janeway
CacheGuard Technical Team
https://www.cacheguard.com
jdolence
Posts: 2
Joined: 29 Jun 2017 14:28

Re: NON-PROXY Implementaiton

Post by jdolence »

David,

Thanks for the quick reply. I started testing before seeing your response.

You identified the only problem I am having: - In transparent mode, incoming Web requests from the internal interface of CG are transparently intercepted by the embedded proxy so outgoing Web requests are sent using the external IP address of CG (so you'll get a kind of NAT).

I need the outgoing requests to use the ip address that CG received on the inside interface (e.g. spoofing or bridged). Just pass it through. At Layer 2/3, these interfaces are totally separated and the MACs are unique.

Is there anyway to do this?
Is there anyway to get to the actual OS?

So close, yet so far away.

Thanks,
Jeff
User avatar
david
Posts: 163
Joined: 08 Aug 2015 20:38

Re: NON-PROXY Implementaiton

Post by david »

Hi,

To achieve what you are looking for, you need a facility that can operate at the IP level. Unfortunately CG does not integrate such a facility (at least not yet).

Maybe you can have a look at http://www.netfilter.org/projects/libne ... index.html. Of course I understand that building a solution based on raw Linux/NetFilter may not be as straightforward as a solution based on CG.

Best Regards,
David Janeway
CacheGuard Technical Team
https://www.cacheguard.com
Post Reply