I don't need no stinking firewall!

William Herrin bill at herrin.us
Sun Jan 10 17:47:24 UTC 2010

On Sun, Jan 10, 2010 at 3:48 AM, James Hess <mysidia at gmail.com> wrote:
> there are a few different  things that can be
> done,  such as  the firewall answering on behalf of the server (using
> SYN cookies) and negotiating connection with the server after the
> final ACK.


That's called a proxy or sometimes an application-layer gateway. The
problem with proxies, aside from the extra computing overhead, is that
they radically change the failure semantics of a TCP connection. The
sender believes itself connected and has transferred the first window
worth of data (which may be all the data he needs to transmit) while
the firewall is still trying to connect to the recipient. Often the
proxy isn't clever enough to send an RST in stead of a FIN so the
remote application thinks it has a successful finish. Even if it does
send an RST, most application developers aren't well enough versed in
sockets programming to block on the shutdown and check the success
status, and even if they do they may report a different error than the
basic "failed to connect."

Proxies can be a useful tool but they should be used with caution and
only when you're absolutely sure that the difference in TCP failure
semantics is not important to the protocol you're proxying.

Bill Herrin

William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

More information about the NANOG mailing list