I don't need no stinking firewall!
mysidia at gmail.com
Sun Jan 10 21:55:39 UTC 2010
On Sun, Jan 10, 2010 at 11:47 AM, William Herrin <bill at herrin.us> wrote:
> On Sun, Jan 10, 2010 at 3:48 AM, James Hess <mysidia at gmail.com> wrote:
>> there are a few different things that can be
>> done, such as the firewall answering on behalf of the server (using
>> SYN cookies) and negotiating connection with the server after the
>> final ACK.
> That's called a proxy or sometimes an application-layer gateway. The
I'm not really referring to ALGs, but to Layer 3 proxies, that
are application-agnostic -- simply manipulate the connection setup,
and then step 'out of the way' performing only mechanical
translation of SEQ numbers / port numbers. However, appliction
layer gateways are still stateful firewalls.
Content switches and load balancers that track connections and
allow access control are also stateful firewalls.
They are widely used, for many different kinds of applications.
> they radically change the failure semantics of a TCP connection. The
> sender believes itself connected and has transferred the first window
> worth of data (which may be all the data he needs to transmit) while
And if the initial window size is 0?
> send an RST, most application developers aren't well enough versed in
> sockets programming to block on the shutdown and check the success
> status, and even if they do they may report a different error than the
> basic "failed to connect."
I agree that could be an issue. The proxy might do the wrong
thing, the application might do the wrong thing.
> Proxies can be a useful tool but they should be used with caution and
I agree they should be used with caution.
I don't agree with "You never need a proxy in front of a server,
it's only there to fail".
More information about the NANOG