To achieve transparency the firewall uses a special program called cdsgw which captures packets on the internal network interface that are addressed to external hosts. Before passing the packets on to the external target host, cdsgw performs Network Address Translation by modifying the source addresses in the packets so that they appear to originate from the firewall. Similarly, a response received from the external host is matched against the current set of connections to determine the internal host that the response should go to; the destination address of the packet is changed to this host and the packets are forwarded to the internal network. Authentication mechanisms similar to those in the proxies are used to ensure that the connections are permitted, and packets that arrive on the outside that do not match any of the current connection are dropped.
This allows unmodified client programs running on internal hosts to access the external network as though the firewall were a normal gateway. As far as an internal client is concerned, it is connected to an external server. As far as the external server is concerned, it is connected to a client running on the firewall. The operation of the transparent gateway is illustrated in pseudo-code form in Figure 2.3, and graphically in Figure 2.4. An advantage of this approach is that connectionless (ICMP and UDP) services can be supported as well; cdsgw maintains a set of `logical' connections for such packet exchanges. The gateway program also transparently modifies the data contained in packets to handle applications with special requirements, such as Archie or FTP.
![\includegraphics[width=14cm]{gwconn.ps}](img13.png)