The CEQURUX Firewall is dual-homed; that is, it requires two network interfaces, one for connecting to the external network (usually via your router to the Internet), and the other for connecting to one of your internal networks. We can thus distinguish between outgoing connections from internal hosts to hosts on the external network, and incoming connections from external hosts to hosts on your internal network(s). Many firewalls allow only outgoing connections (except for electronic mail), but the CEQURUX Firewall, depending on how it is configured, allows both incoming and outgoing connections
Regardless of the direction, the firewall uses Network Address Translation (NAT); that is, the addresses of internal hosts are hidden from the outside world. As packets pass out through the firewall, the internal source addresses are replaced with the external interface address of the firewall, making it appear to the outside world that all connections are coming from the firewall itself. Conversely, packets received on the outside have their destination address (the firewall external address) replaced with the address of the internal host for which they are destined. The mechanism by which NAT is accomplished can vary, depending on whether the connection is done using a TCP application proxy, or whether it is through the transparent gateway program cdsgw.
Because internal addresses are hidden from the outside world, it is not possible for an external host to connect transparently to an internal host. Instead, connections from external hosts must be to the firewall, which can then relay the connection once it knows what the final destination is meant to be. This is how the TCP proxies work. The actual mechanism used to inform the TCP proxy what the final destination is will vary with the protocol - for interactive protocols such as FTP and telnet, the user running the client software can manually specify a final destination after connecting to the firewall; for non-interactive protocols, the final destination may have to be statically preconfigured.
Hosts on the inside can, however, look up the addresses of external hosts, and thus it is possible for them to connect directly and transparently to the destination (via the firewall). To make this secure, not all packets are forwarded, but the forwarding is tightly controlled by a special gateway program, the afore-mentioned cdsgw. It is also possible to use TCP proxies for outgoing access, but this is neither necessary nor desirable in most cases. Thus, as a general rule, outgoing connections are transparent and are handled by cdsgw, while incoming connections are handled by application-specific TCP proxies.
There are technical difficulties with proxying non-connection-oriented protocols (unless the client-side software is specially designed for this, as with the generic proxying protocol SOCKS). This is why proxying is restricted to TCP. The transparent gateway, on the other hand, has sufficient intelligence built in that it can handle ICMP, UDP and TCP.
The following sections will explore the difference between proxying and transparent gatewaying in more detail. The discussion is necessarily somewhat technical, but it is important to understand how the firewall works in order to achieve the effects you desire.