Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Transparent proxies and PMTUD on the (WWW) serverside

From: Carson Gaspar <carson () taltos org>
Date: Wed, 27 Aug 2003 20:49:08 -0400
--On Wednesday, August 27, 2003 8:44 AM -0400 Rick Murphy <rmurphy () mitretek org> wrote: 


Again, why? The proxy should be slurping up bits from the client and
passing them up to the server (and vice-versa). The underlying IP stack
handles PMTUd. There's no reason for the proxy to need to know that the
PMTUd is taking place. (Or for the client to need to know, for that
matter.)
Bzzzzt. Not if you enable transparent (or other) proxying which maintains the original source address (as was specified in the original example). This is usually given as a requirement for web servers, or other services that "need" to know who their clients are, and get unhappy when every request is from their own firewall.
Of course, the definition of "proxy" becomes fuzzy. The same code that rewrites the outbound connection to fake it's source address needs to handle all relevant response packets, including (but not limited to) ICMP Would Fragment. Call it part of the proxy or not, it still needs to work correctly. 

--
Carson

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: