Re: [fw-wiz] Transparent proxies and PMTUD on the (WWW) serverside

• Previous message: Whiteside, Larry [contractor]: "RE: [fw-wiz] result question"
• In reply to: Carson Gaspar: "Re: [fw-wiz] Transparent proxies and PMTUD on the (WWW) serverside"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Carson Gaspar <carson@taltos.org>, firewall-wizards@honor.icsalabs.com
Date: Thu, 28 Aug 2003 15:14:10 -0400

At 08:49 PM 8/27/2003, Carson Gaspar wrote:

>--On Wednesday, August 27, 2003 8:44 AM -0400 Rick Murphy
><rmurphy@mitretek.org> wrote:
>
>>Again, why? The proxy should be slurping up bits from the client and
>>passing them up to the server (and vice-versa). The underlying IP
>>stack
>>handles PMTUd. There's no reason for the proxy to need to know that
>>the
>>PMTUd is taking place. (Or for the client to need to know, for that
>>matter.)
>
>Bzzzzt. Not if you enable transparent (or other) proxying which
>maintains the original source address (as was specified in the
>original example). This is usually given as a requirement for web
>servers, or other services that "need" to know who their clients are,
>and get unhappy when every request is from their own firewall.
>
>Of course, the definition of "proxy" becomes fuzzy. The same code that
>rewrites the outbound connection to fake it's source address needs to
>handle all relevant response packets, including (but not limited to)
>ICMP Would Fragment. Call it part of the proxy or not, it still needs
>to work correctly.

Well, now you've got me thinking.
The Gauntlet plug-gw does act transparently as above; it can rewrite
the source address to be non-local because the transparency support
allows it (you can bind to any address.) There's no "rewriting" going
on.
In that set of circumstances, I still think the outbound PMTUd will
work correctly. However, there are some circumstances where it's not
going to work. Rats, wish I had a system to experiment with.
         -Rick

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Whiteside, Larry [contractor]: "RE: [fw-wiz] result question"
• In reply to: Carson Gaspar: "Re: [fw-wiz] Transparent proxies and PMTUD on the (WWW) serverside"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [fw-wiz] Transparent proxies and PMTUD on the (WWW) serverside ... >the client side has PMTUd on in the underlying operating system, ... >and the transparency code doesn't handle ICMP 'must frag' ... There's no reason for the proxy to need to know that the ... (Firewall-Wizards) Re: ISA Server Problems, please help ... The All access rule for SBS Internet ... Web Proxy and/or ... > To accommodate the linux SecureNAT clients you should create a new Client ... ISA Server denies the specified Uniform Resource Locator. ... (microsoft.public.windows.server.sbs) Re: Need to Turn Off Proxy Server in SBS 4.5 ... client machines (it is done by default when you install an SBS client)? ... IE's web proxy settings are disabled like you said, ... Server is internal only...no outside web or ftp serving. ... (microsoft.public.backoffice.smallbiz) Re: Please enter password for HTTP proxy ... Web Proxy log: WEBEXTDyyyymmdd.log ... This newsgroup only focuses on SBS technical issues. ... |> on to the SBS server that hosts the ISA. ... |> sure the problematic clients also have Firewall Client installed. ... (microsoft.public.windows.server.sbs) RE: Proxy requires authentication ... problem where it is being asked to authenticate to the proxy server. ... sure the problematic client also have Firewall Client installed. ... | Thread-Topic: Proxy requires authentication ... (microsoft.public.windows.server.sbs)