What is a firewall proxy server ?

Most modern firewalls distinguish between packet filtering and proxy server services. A firewall proxy server is an application that acts as an intermediary between tow end systems. Firewall proxy servers operate at the application layer of the firewall, where both ends of a connection are forced to conduct the session through the proxy. They do this by creating and running a process on the firewall that mirrors a service as if it were running on the end host.

A firewall proxy server essentially turns a two-party session into a four-party session, with the middle process emulating the two real hosts. Because they operate at the application layer, proxy servers are also referred to as application layer firewalls. A proxy service must be run for each type of Internet application the firewall will support -- a Simple Mail Transport Protocol (SMTP) proxy for e-mail, an HTTP proxy for Web services and so on. Proxy servers are almost always one-way arrangements running from the internal network to the outside network. In other words, if an internal user wants to access a Web site on the Internet, the packets making up that request are processed through the HTTP server before being forwarded to the Web site. Packets returned from the Web site in turn are processed through the HTTP server before being forwarded back to the internal user host.

Because firewall proxy servers centralize all activity for an application into a single server, they present the ideal opportunity to perform a variety of useful functions. Having the application running right on the firewall presents the opportunity to inspect packets for much more than just source / destination addresses and port numbers. This is why nearly all modern firewalls incorporate some form of proxy-server architecture. For example, inbound packets headed to a server set up strictly to disburse information (say, an FTP server) can be inspected to see if they contain any write commands (such as the PUT command). In this way, the proxy server could allow only connections containing read commands.