Re: [fw-wiz] Transparent proxies and PMTUD on the (WWW) serverside
From: Carson Gaspar (carson_at_taltos.org)
Date: 08/27/03
- Previous message: Bret Watson: "[fw-wiz] Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls"
- In reply to: Mikael Olsson: "Re: [fw-wiz] Transparent proxies and PMTUD on the (WWW) serverside"
- Next in thread: Rick Murphy: "Re: [fw-wiz] Transparent proxies and PMTUD on the (WWW) serverside"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Tue, 26 Aug 2003 19:49:16 -0400
--On Wednesday, August 27, 2003 00:33:53 +0200 Mikael Olsson
<mikael.olsson@clavister.com> wrote:
>
> "Marcus J. Ranum" wrote:
>>
>> > If an ALG supports transparent proxying, enables PMTUD, and does not
>> > intercept ICMP must fragment, the ALG is broken. File a high priority
>> > trouble ticket with your vendor.
>>
>> If an ALG understands PMTUD and ICMP it's not an ALG, it's a packet
>> filter masquerading as a proxy. All that stuff is totally below
>> application space.
>
> Um, no. I'll rephrase Carson's mail for him:
>
> "If an ALG-based firewall system that implements transparency on
> the client side has PMTUd on in the underlying operating system,
> and the transparency code doesn't handle ICMP 'must frag'
> errors, the firewall system is b0rken."
>
> So, yeah, ok, the ALG itself shouldn't care about ICMP errors.
> But the transparency function / packet filter that makes
> the ALG transparent surely should. And it doesn't make
> the firewall a packet filter in my book.
Exactly.
And Marcus, almost all ALGs "know" about PMTUD and ICMP, they just
outsource it to the kernel (in a rare example of compartmentalized code ;-)
). Once transparency is involved, the outsourcing is no longer complete, as
specific packet re-writing instructions must be communicated to the kernel.
In the Sidewinder case, they signed a bad outsourcing agreement ;-)
-- Carson _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Bret Watson: "[fw-wiz] Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls"
- In reply to: Mikael Olsson: "Re: [fw-wiz] Transparent proxies and PMTUD on the (WWW) serverside"
- Next in thread: Rick Murphy: "Re: [fw-wiz] Transparent proxies and PMTUD on the (WWW) serverside"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
