Re: I don't need no stinking firewall!

[James Hess <mysidia () gmail com>]

On Sun, Jan 10, 2010 at 11:47 AM, William Herrin <bill () herrin us> wrote:
> On Sun, Jan 10, 2010 at 3:48 AM, James Hess <mysidia () gmail com> wrote:
> >  there are a few different  things that can be
> > done,  such as  the firewall answering on behalf of the server (using
> > SYN cookies) and negotiating connection with the server after the
> > final ACK.
> That's called a proxy or sometimes an application-layer gateway. The

I'm not really referring to ALGs,  but to   Layer 3  proxies,  that
are application-agnostic  -- simply  manipulate  the connection setup,
 and then step 'out of the way'   performing only  mechanical
translation of SEQ numbers / port numbers.   However,  appliction
layer gateways are still stateful firewalls.
Content switches and load balancers  that  track connections and
allow access control are also stateful firewalls.

They are widely used,  for many different kinds of applications.

> they radically change the failure semantics of a TCP connection. The
> sender believes itself connected and has transferred the first window
> worth of data (which may be all the data he needs to transmit) while

And if the initial window size is  0?

> send an RST, most application developers aren't well enough versed in
> sockets programming to block on the shutdown and check the success
> status, and even if they do they may report a different error than the
> basic "failed to connect."

I  agree that could be an issue.      The proxy might do the wrong
thing,  the application  might do the wrong thing.

> Proxies can be a useful tool but they should be used with caution and

I agree they should be used with caution.
I don't agree  with "You never need a proxy in front of a server,
it's only there to fail".

--
-J