nanog mailing list archives
Re: I don't need no stinking firewall!
From: William Herrin <bill () herrin us>
Date: Sun, 10 Jan 2010 12:47:24 -0500
On Sun, Jan 10, 2010 at 3:48 AM, James Hess <mysidia () gmail com> wrote:
there are a few different things that can be done, such as the firewall answering on behalf of the server (using SYN cookies) and negotiating connection with the server after the final ACK.
James, That's called a proxy or sometimes an application-layer gateway. The problem with proxies, aside from the extra computing overhead, is that they radically change the failure semantics of a TCP connection. The sender believes itself connected and has transferred the first window worth of data (which may be all the data he needs to transmit) while the firewall is still trying to connect to the recipient. Often the proxy isn't clever enough to send an RST in stead of a FIN so the remote application thinks it has a successful finish. Even if it does send an RST, most application developers aren't well enough versed in sockets programming to block on the shutdown and check the success status, and even if they do they may report a different error than the basic "failed to connect." Proxies can be a useful tool but they should be used with caution and only when you're absolutely sure that the difference in TCP failure semantics is not important to the protocol you're proxying. Regards, Bill Herrin -- William D. Herrin ................ herrin () dirtside com bill () herrin us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Current thread:
- Re: I don't need no stinking firewall!, (continued)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 10)
- RE: I don't need no stinking firewall! George Bonser (Jan 10)
- Re: I don't need no stinking firewall! Warren Kumari (Jan 13)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 13)
- Re: I don't need no stinking firewall! Bill Stewart (Jan 14)
- Re: I don't need no stinking firewall! Joe Maimon (Jan 14)
- Re: I don't need no stinking firewall! Valdis . Kletnieks (Jan 08)
- Re: I don't need no stinking firewall! Joe Greco (Jan 08)
- Re: I don't need no stinking firewall! James Hess (Jan 10)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 10)
- Re: I don't need no stinking firewall! William Herrin (Jan 10)
- Re: I don't need no stinking firewall! William Herrin (Jan 10)
- Re: I don't need no stinking firewall! James Hess (Jan 10)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 10)
- Re: I don't need no stinking firewall! Joe Greco (Jan 10)
- Re: I don't need no stinking firewall! Joel Jaeggli (Jan 08)
- Re: I don't need no stinking firewall! Mark Smith (Jan 06)
- Re: I don't need no stinking firewall! William Pitcock (Jan 05)
- Re: I don't need no stinking firewall! Joe Greco (Jan 06)
- Re: I don't need no stinking firewall! Ryan Brooks (Jan 05)
- Re: I don't need no stinking firewall! Valdis . Kletnieks (Jan 06)