Firewall Wizards mailing list archives
Re: Transparent proxies and PMTUD on the (WWW) serverside
From: Rick Murphy <rmurphy () mitretek org>
Date: Thu, 28 Aug 2003 15:14:10 -0400
At 08:49 PM 8/27/2003, Carson Gaspar wrote:
--On Wednesday, August 27, 2003 8:44 AM -0400 Rick Murphy <rmurphy () mitretek org> wrote:Again, why? The proxy should be slurping up bits from the client andpassing them up to the server (and vice-versa). The underlying IP stack handles PMTUd. There's no reason for the proxy to need to know that thePMTUd is taking place. (Or for the client to need to know, for that matter.)Bzzzzt. Not if you enable transparent (or other) proxying which maintains the original source address (as was specified in the original example). This is usually given as a requirement for web servers, or other services that "need" to know who their clients are, and get unhappy when every request is from their own firewall.Of course, the definition of "proxy" becomes fuzzy. The same code that rewrites the outbound connection to fake it's source address needs to handle all relevant response packets, including (but not limited to) ICMP Would Fragment. Call it part of the proxy or not, it still needs to work correctly.
Well, now you've got me thinking.The Gauntlet plug-gw does act transparently as above; it can rewrite the source address to be non-local because the transparency support allows it (you can bind to any address.) There's no "rewriting" going on. In that set of circumstances, I still think the outbound PMTUd will work correctly. However, there are some circumstances where it's not going to work. Rats, wish I had a system to experiment with.
-Rick _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- R: Transparent proxies and PMTUD on the (WWW) server side, (continued)
- R: Transparent proxies and PMTUD on the (WWW) server side edp (Aug 26)
- Re: Transparent proxies and PMTUD on the (WWW) server side Mikael Olsson (Aug 26)
- Re: Transparent proxies and PMTUD on the (WWW) server side Patrick M. Hausen (Aug 26)
- Re: Transparent proxies and PMTUD on the (WWW) server side Mikael Olsson (Aug 26)
- Re: Transparent proxies and PMTUD on the (WWW) server side Patrick M. Hausen (Aug 26)
- Re: Transparent proxies and PMTUD on the (WWW) server side Carson Gaspar (Aug 26)
- Re: Transparent proxies and PMTUD on the (WWW) server side Marcus J. Ranum (Aug 26)
- Re: Transparent proxies and PMTUD on the (WWW) serverside Mikael Olsson (Aug 26)
- Re: Transparent proxies and PMTUD on the (WWW) serverside Carson Gaspar (Aug 27)
- Re: Transparent proxies and PMTUD on the (WWW) serverside Rick Murphy (Aug 27)
- Re: Transparent proxies and PMTUD on the (WWW) serverside Carson Gaspar (Aug 28)
- Re: Transparent proxies and PMTUD on the (WWW) serverside Rick Murphy (Aug 28)
- Re: Transparent proxies and PMTUD on the (WWW) server side Marcus J. Ranum (Aug 26)