Re: [fw-wiz] Transparent proxies and PMTUD on the (WWW) serverside
From: Rick Murphy (rmurphy_at_mitretek.org)
To: Mikael Olsson <firstname.lastname@example.org> Date: Wed, 27 Aug 2003 08:44:37 -0400
At 06:33 PM 8/26/2003, Mikael Olsson wrote:
>Um, no. I'll rephrase Carson's mail for him:
>"If an ALG-based firewall system that implements transparency on
>the client side has PMTUd on in the underlying operating system,
>and the transparency code doesn't handle ICMP 'must frag'
>errors, the firewall system is b0rken."
Again, why? The proxy should be slurping up bits from the client and
passing them up to the server (and vice-versa). The underlying IP stack
handles PMTUd. There's no reason for the proxy to need to know that the
PMTUd is taking place. (Or for the client to need to know, for that
The only thing that's "b0rken" is that the two sides of the proxy
conversation could have different MTUs. So what? There's no reason for
the proxy to care about the MTU negotiation taking place - or for it to
reflect that negotiation back to the client.
The client sends however much data it can, the proxy reads what it
gets, and transmits it onward to the server. If the server-side MTU is
lower, the messages get fragmented by the IP stack. As long as your
protocol isn't b0rken (i.e. every message sent by the client has to
arrive at the server intact in a single packet), everything works. If
the protocol is sensitive to packet boundaries, it won't work over the
Internet. I like demonstrating these kinds of errors by interposing a
SLIP link with a tiny MTU. Anything that won't work in the face of
fragmentation isn't designed properly IMHO. (Or, it's at best a LAN
protocol, not an Internet protocol).
>So, yeah, ok, the ALG itself shouldn't care about ICMP errors.
>But the transparency function / packet filter that makes
>the ALG transparent surely should. And it doesn't make
>the firewall a packet filter in my book.
Transparency doesn't need to be as complex as that.
firewall-wizards mailing list