Re: [fw-wiz] Transparent proxies and PMTUD on the (WWW) serverside

From: Mikael Olsson (mikael.olsson_at_clavister.com)
Date: 08/27/03

  • Next message: Bret Watson: "[fw-wiz] Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls" 
    To: "Marcus J. Ranum" <mjr@ranum.com>
Date: Wed, 27 Aug 2003 00:33:53 +0200

    "Marcus J. Ranum" wrote:
    >
    > >If an ALG supports transparent proxying, enables PMTUD, and does not intercept ICMP must fragment, the ALG is broken. File a high priority trouble ticket with your vendor.
    >
    > If an ALG understands PMTUD and ICMP it's not an ALG, it's a packet
    > filter masquerading as a proxy. All that stuff is totally below application
    > space.

    Um, no. I'll rephrase Carson's mail for him:

    "If an ALG-based firewall system that implements transparency on
    the client side has PMTUd on in the underlying operating system,
    and the transparency code doesn't handle ICMP 'must frag'
    errors, the firewall system is b0rken."

    So, yeah, ok, the ALG itself shouldn't care about ICMP errors.
    But the transparency function / packet filter that makes
    the ALG transparent surely should. And it doesn't make
    the firewall a packet filter in my book. 

    -- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Bret Watson: "[fw-wiz] Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls"