Re: [fw-wiz] Transparent proxies and PMTUD on the (WWW) serverside

From: Rick Murphy (rmurphy_at_mitretek.org)
Date: 08/27/03

  • Next message: TSimons_at_Delphi-Tech.com: "RE: [fw-wiz] Stop Using relays.osirusoft.com *NOW*!"
    To: Mikael Olsson <mikael.olsson@clavister.com>
    Date: Wed, 27 Aug 2003 08:44:37 -0400
    
    

    At 06:33 PM 8/26/2003, Mikael Olsson wrote:

    >Um, no. I'll rephrase Carson's mail for him:
    >
    >"If an ALG-based firewall system that implements transparency on
    >the client side has PMTUd on in the underlying operating system,
    >and the transparency code doesn't handle ICMP 'must frag'
    >errors, the firewall system is b0rken."

    Again, why? The proxy should be slurping up bits from the client and
    passing them up to the server (and vice-versa). The underlying IP stack
    handles PMTUd. There's no reason for the proxy to need to know that the
    PMTUd is taking place. (Or for the client to need to know, for that
    matter.)

    The only thing that's "b0rken" is that the two sides of the proxy
    conversation could have different MTUs. So what? There's no reason for
    the proxy to care about the MTU negotiation taking place - or for it to
    reflect that negotiation back to the client.

    The client sends however much data it can, the proxy reads what it
    gets, and transmits it onward to the server. If the server-side MTU is
    lower, the messages get fragmented by the IP stack. As long as your
    protocol isn't b0rken (i.e. every message sent by the client has to
    arrive at the server intact in a single packet), everything works. If
    the protocol is sensitive to packet boundaries, it won't work over the
    Internet. I like demonstrating these kinds of errors by interposing a
    SLIP link with a tiny MTU. Anything that won't work in the face of
    fragmentation isn't designed properly IMHO. (Or, it's at best a LAN
    protocol, not an Internet protocol).

    >So, yeah, ok, the ALG itself shouldn't care about ICMP errors.
    >But the transparency function / packet filter that makes
    >the ALG transparent surely should. And it doesn't make
    >the firewall a packet filter in my book.

    Transparency doesn't need to be as complex as that.
             -Rick

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: TSimons_at_Delphi-Tech.com: "RE: [fw-wiz] Stop Using relays.osirusoft.com *NOW*!"

    Relevant Pages

    • Re: [fw-wiz] Transparent proxies and PMTUD on the (WWW) serverside
      ... The proxy should be slurping up bits from the client and ... >>PMTUd is taking place. ... >rewrites the outbound connection to fake it's source address needs to ...
      (Firewall-Wizards)
    • Re: ISA Server Problems, please help
      ... The All access rule for SBS Internet ... Web Proxy and/or ... > To accommodate the linux SecureNAT clients you should create a new Client ... ISA Server denies the specified Uniform Resource Locator. ...
      (microsoft.public.windows.server.sbs)
    • Re: Need to Turn Off Proxy Server in SBS 4.5
      ... client machines (it is done by default when you install an SBS client)? ... IE's web proxy settings are disabled like you said, ... Server is internal only...no outside web or ftp serving. ...
      (microsoft.public.backoffice.smallbiz)
    • Re: Please enter password for HTTP proxy
      ... Web Proxy log: WEBEXTDyyyymmdd.log ... This newsgroup only focuses on SBS technical issues. ... |> on to the SBS server that hosts the ISA. ... |> sure the problematic clients also have Firewall Client installed. ...
      (microsoft.public.windows.server.sbs)
    • RE: Proxy requires authentication
      ... problem where it is being asked to authenticate to the proxy server. ... sure the problematic client also have Firewall Client installed. ... | Thread-Topic: Proxy requires authentication ...
      (microsoft.public.windows.server.sbs)