[121113] in North American Network Operators' Group
Re: I don't need no stinking firewall!
daemon@ATHENA.MIT.EDU (James Hess)
Sun Jan 10 16:56:26 2010
In-Reply-To: <3c3e3fca1001100947i43482aacq1d70d78dbfbbf531@mail.gmail.com>
Date: Sun, 10 Jan 2010 15:55:39 -0600
From: James Hess <mysidia@gmail.com>
To: William Herrin <bill@herrin.us>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sun, Jan 10, 2010 at 11:47 AM, William Herrin <bill@herrin.us> wrote:
> On Sun, Jan 10, 2010 at 3:48 AM, James Hess <mysidia@gmail.com> wrote:
>>=A0there are a few different =A0things that can be
>> done, =A0such as =A0the firewall answering on behalf of the server (usin=
g
>> SYN cookies) and negotiating connection with the server after the
>> final ACK.
> That's called a proxy or sometimes an application-layer gateway. The
I'm not really referring to ALGs, but to Layer 3 proxies, that
are application-agnostic -- simply manipulate the connection setup,
and then step 'out of the way' performing only mechanical
translation of SEQ numbers / port numbers. However, appliction
layer gateways are still stateful firewalls.
Content switches and load balancers that track connections and
allow access control are also stateful firewalls.
They are widely used, for many different kinds of applications.
> they radically change the failure semantics of a TCP connection. The
> sender believes itself connected and has transferred the first window
> worth of data (which may be all the data he needs to transmit) while
And if the initial window size is 0?
> send an RST, most application developers aren't well enough versed in
> sockets programming to block on the shutdown and check the success
> status, and even if they do they may report a different error than the
> basic "failed to connect."
I agree that could be an issue. The proxy might do the wrong
thing, the application might do the wrong thing.
> Proxies can be a useful tool but they should be used with caution and
I agree they should be used with caution.
I don't agree with "You never need a proxy in front of a server,
it's only there to fail".
--
-J
