Firewall Wizards mailing list archives
Re: Transparent proxies and PMTUD on the (WWW) serverside
From: Rick Murphy <rmurphy () mitretek org>
Date: Wed, 27 Aug 2003 08:44:37 -0400
At 06:33 PM 8/26/2003, Mikael Olsson wrote:
Um, no. I'll rephrase Carson's mail for him: "If an ALG-based firewall system that implements transparency on the client side has PMTUd on in the underlying operating system, and the transparency code doesn't handle ICMP 'must frag' errors, the firewall system is b0rken."
Again, why? The proxy should be slurping up bits from the client and passing them up to the server (and vice-versa). The underlying IP stack handles PMTUd. There's no reason for the proxy to need to know that the PMTUd is taking place. (Or for the client to need to know, for that matter.)
The only thing that's "b0rken" is that the two sides of the proxy conversation could have different MTUs. So what? There's no reason for the proxy to care about the MTU negotiation taking place - or for it to reflect that negotiation back to the client.
The client sends however much data it can, the proxy reads what it gets, and transmits it onward to the server. If the server-side MTU is lower, the messages get fragmented by the IP stack. As long as your protocol isn't b0rken (i.e. every message sent by the client has to arrive at the server intact in a single packet), everything works. If the protocol is sensitive to packet boundaries, it won't work over the Internet. I like demonstrating these kinds of errors by interposing a SLIP link with a tiny MTU. Anything that won't work in the face of fragmentation isn't designed properly IMHO. (Or, it's at best a LAN protocol, not an Internet protocol).
So, yeah, ok, the ALG itself shouldn't care about ICMP errors. But the transparency function / packet filter that makes the ALG transparent surely should. And it doesn't make the firewall a packet filter in my book.
Transparency doesn't need to be as complex as that. -Rick _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Transparent proxies and PMTUD on the (WWW) server side Patrick M. Hausen (Aug 21)
- R: Transparent proxies and PMTUD on the (WWW) server side edp (Aug 26)
- Re: Transparent proxies and PMTUD on the (WWW) server side Mikael Olsson (Aug 26)
- Re: Transparent proxies and PMTUD on the (WWW) server side Patrick M. Hausen (Aug 26)
- Re: Transparent proxies and PMTUD on the (WWW) server side Mikael Olsson (Aug 26)
- Re: Transparent proxies and PMTUD on the (WWW) server side Patrick M. Hausen (Aug 26)
- Re: Transparent proxies and PMTUD on the (WWW) server side Carson Gaspar (Aug 26)
- Re: Transparent proxies and PMTUD on the (WWW) server side Marcus J. Ranum (Aug 26)
- Re: Transparent proxies and PMTUD on the (WWW) serverside Mikael Olsson (Aug 26)
- Re: Transparent proxies and PMTUD on the (WWW) serverside Carson Gaspar (Aug 27)
- Re: Transparent proxies and PMTUD on the (WWW) serverside Rick Murphy (Aug 27)
- Re: Transparent proxies and PMTUD on the (WWW) serverside Carson Gaspar (Aug 28)
- Re: Transparent proxies and PMTUD on the (WWW) serverside Rick Murphy (Aug 28)
- Re: Transparent proxies and PMTUD on the (WWW) server side Marcus J. Ranum (Aug 26)