On Sun, Jan 10, 2010 at 11:47 AM, William Herrin <bill@herrin.us> wrote:
On Sun, Jan 10, 2010 at 3:48 AM, James Hess <mysidia@gmail.com> wrote:
there are a few different things that can be done, such as the firewall answering on behalf of the server (using SYN cookies) and negotiating connection with the server after the final ACK. That's called a proxy or sometimes an application-layer gateway. The
I'm not really referring to ALGs, but to Layer 3 proxies, that are application-agnostic -- simply manipulate the connection setup, and then step 'out of the way' performing only mechanical translation of SEQ numbers / port numbers. However, appliction layer gateways are still stateful firewalls. Content switches and load balancers that track connections and allow access control are also stateful firewalls. They are widely used, for many different kinds of applications.
they radically change the failure semantics of a TCP connection. The sender believes itself connected and has transferred the first window worth of data (which may be all the data he needs to transmit) while
And if the initial window size is 0?
send an RST, most application developers aren't well enough versed in sockets programming to block on the shutdown and check the success status, and even if they do they may report a different error than the basic "failed to connect."
I agree that could be an issue. The proxy might do the wrong thing, the application might do the wrong thing.
Proxies can be a useful tool but they should be used with caution and
I agree they should be used with caution. I don't agree with "You never need a proxy in front of a server, it's only there to fail". -- -J