Subject: Spoofing in the Smoothwall web proxy engine
You can turn on "Spoofing" in the Smoothwall when setting up the web proxy. You can do this for both transparent and non-transparent proxies. In this article, we explain what happens when you turn on Spoofing in the Smoothwall and present a few use cases where this is relevant.
Explanation: What does spoofing do
It allows the web proxy to present the client IP address as the source of the requests. Normally all web requests from the web proxy have the proxy IP address as the source.
An example of where spoofing could be needed is when an upstream IDS engine needs to be able to see the client IP addresses rather than the proxy IP address.
IMPORTANT: When spoofing is turned on, routing of return traffic going to the clients, must be sent via the web proxy. Without this, return traffic is sent directly back to the client without being processed by the web proxy, which will get rejected by the client.
Specific use cases
Customer needed outgoing web traffic for each school having a source NAT to a unique IP. To do this, spoofing was essential.
- Each Smoothwall filter system was configured with a basic interface for incoming traffic and an external for outgoing traffic.
- The basic interface had one IP address, where the proxy was set up, which was set in the load balancer.
- The external interface was configured with a set of IP addresses, one for each school.
- Address objects were created for each school's IP address ranges.
- Spoofing was enabled in the proxy.
- SNAT rules for outgoing traffic was created to map school locations to a specific outgoing IP address.
- The upstream firewall was configured with a set of source NAT rules for each specific outgoing IP address used by the filters.
For 30 schools this ended up being 30 IP aliases on each filter's external interface with a source NAT rule for each IP and modifying the existing 30 SNAT rules on the firewall as well.
When using spoofing on a UTM system that has a direct internet connection, return routing is done via the Smoothwall automatically. Spoofing policies are applied before, outgoing firewall and source NAT policies, allowing those to use the client IP address as a differentiator:
- Source NAT the web traffic from client IP .
- Bandwidth managing web traffic by client IP.
- Outgoing firewall rules to restrict/allow web traffic from client IP.
Due to the routing requirements for spoofing, we recommend when you use a single proxy where spoofing is needed, that you either set up the proxy with two interfaces or that you don't directly connect to a client subnet. This makes routing easier to achieve in a sensible manner.
The main reason for spoofing being used in a single proxy setup is that existing upstream firewall and routing structure requires the client IP to maintain functionality. Please note that return routing must be done via the Smoothwall, which is an operational concern that will have to be addressed.