FW: [sclug] Firewalls

Sat Oct 25 09:05:32 UTC 2003

lug at assursys.co.uk wrote:
> On Wed, 15 Jan 2003, Tom Dawes-Gamble wrote:
> 
> 
>>lug at assursys.co.uk wrote:
>>
>>>On Wed, 15 Jan 2003, Tom Dawes-Gamble wrote:
>>>
>>>
>>>
>>>>lug at assursys.co.uk wrote:
>>>>
>>>>
>>>>>On Wed, 15 Jan 2003, Tom Dawes-Gamble wrote:
>>>>>
>>>>>
>>>>>>Yes,  but NAT sould only change the envelope part of the packet and not the
>>>>>>contents.
>>>>>
>>>>>
>>>>>That depends. It's impossible to get some protocols (non-PASV FTP being the
>>>>>most notable) working without modifying the payload. Yes, this is prone to
>>>>>error - consider what happens to the size of the packet if the client
>>>>>address is 1.2.3.4 and the NATted address is 111.122.133.144. Now consider
>>>>>what happens if the payload was already of size (MTU-40)...
>>>>>
>>>>
>>>>That's not a nice exercise to leave to the reader.  :-)
>>>>Though my guess is
>>>>
>>>>MTU - 40 = MTU - Envelope
>>>>
>>>>then in the envelope 1.2.3.4 would be 00000001 00000010 00000011 00000100
>>>>         and 111.122.133.144 would be 01101111 01111010 10000101 10010000
>>>>
>>>>in that case the envelope does not change size.
>>>
>>>
>>>It would be, apart from the fact that FTP uses ASCII when sending PORT
>>>commands... suddenly your packet is 4x2=8 bytes longer than it was. But the
>>>packet was already at maximum MTU size! Yow!
>>>
>>
>>But surely the port "command" is not part of the envelope but is in body.
> 
> 
> Sorry, missed that. But... in re-writing the ASCII PORT command in the
> payload, tha payload has grown by 8 bytes, thus taking the total packet size
> over the MTU size. The NAT device now needs to fragment the packet and
> recalculate checksums without either side being made aware of what it's up
> to.
> 

I'm not that up to the mark on the good old seven layer model and all
that jazz. Or exactly what layers are what in the TCP/IP stuff.  SO I
find it difficult to explain.  IMVHO.  If ftp is transmitting IP addresses
and port numbers in the data part thats a bit wrong.

Certainly I would not want do that sort of thing.  Of course FTP was around
before NAT so may be ftp would not be done like that today given the choice.

> Early-ish versions of a certain proprietary firewall product couldn't cope
> when asked to do this.
> 

As I said that's not a nice exercise to give the reader.  :-)
Though I thought that changes in the MTU from place to place happend
all the time.  I have no idea what MTU I have set on the Network cards
on my systems.  Nor do I know what MTU is used on the ISDN router I use
for my home to work connection or on the Speedbox my ISP provides for my
internet access.  Any difference in MTU should be delt by whatever layer
worries about that.

Tom.

-- 
There are 10 sorts of people.
Those that understand Binary and those that don't.