Firewall Wizards mailing list archives
Re: Transparent proxies and PMTUD on the (WWW) serverside
From: Carson Gaspar <carson () taltos org>
Date: Tue, 26 Aug 2003 19:49:16 -0400
--On Wednesday, August 27, 2003 00:33:53 +0200 Mikael Olsson <mikael.olsson () clavister com> wrote:
"Marcus J. Ranum" wrote:> If an ALG supports transparent proxying, enables PMTUD, and does not > intercept ICMP must fragment, the ALG is broken. File a high priority > trouble ticket with your vendor. If an ALG understands PMTUD and ICMP it's not an ALG, it's a packet filter masquerading as a proxy. All that stuff is totally below application space.Um, no. I'll rephrase Carson's mail for him: "If an ALG-based firewall system that implements transparency on the client side has PMTUd on in the underlying operating system, and the transparency code doesn't handle ICMP 'must frag' errors, the firewall system is b0rken." So, yeah, ok, the ALG itself shouldn't care about ICMP errors. But the transparency function / packet filter that makes the ALG transparent surely should. And it doesn't make the firewall a packet filter in my book.
Exactly.And Marcus, almost all ALGs "know" about PMTUD and ICMP, they just outsource it to the kernel (in a rare example of compartmentalized code ;-) ). Once transparency is involved, the outsourcing is no longer complete, as specific packet re-writing instructions must be communicated to the kernel. In the Sidewinder case, they signed a bad outsourcing agreement ;-)
-- Carson _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Transparent proxies and PMTUD on the (WWW) server side Patrick M. Hausen (Aug 21)
- R: Transparent proxies and PMTUD on the (WWW) server side edp (Aug 26)
- Re: Transparent proxies and PMTUD on the (WWW) server side Mikael Olsson (Aug 26)
- Re: Transparent proxies and PMTUD on the (WWW) server side Patrick M. Hausen (Aug 26)
- Re: Transparent proxies and PMTUD on the (WWW) server side Mikael Olsson (Aug 26)
- Re: Transparent proxies and PMTUD on the (WWW) server side Patrick M. Hausen (Aug 26)
- Re: Transparent proxies and PMTUD on the (WWW) server side Carson Gaspar (Aug 26)
- Re: Transparent proxies and PMTUD on the (WWW) server side Marcus J. Ranum (Aug 26)
- Re: Transparent proxies and PMTUD on the (WWW) serverside Mikael Olsson (Aug 26)
- Re: Transparent proxies and PMTUD on the (WWW) serverside Carson Gaspar (Aug 27)
- Re: Transparent proxies and PMTUD on the (WWW) serverside Rick Murphy (Aug 27)
- Re: Transparent proxies and PMTUD on the (WWW) serverside Carson Gaspar (Aug 28)
- Re: Transparent proxies and PMTUD on the (WWW) serverside Rick Murphy (Aug 28)
- Re: Transparent proxies and PMTUD on the (WWW) server side Marcus J. Ranum (Aug 26)