FW: [sclug] Firewalls

lug at assursys.co.uk lug at assursys.co.uk
Sat Oct 25 09:05:32 UTC 2003


On Wed, 15 Jan 2003, Tom Dawes-Gamble wrote:

> lug at assursys.co.uk wrote:
> > On Wed, 15 Jan 2003, Tom Dawes-Gamble wrote:
> > 
> > 
> >>lug at assursys.co.uk wrote:
> >>
> >>>On Wed, 15 Jan 2003, Tom Dawes-Gamble wrote:
> >>>
> >>>>Yes,  but NAT sould only change the envelope part of the packet and not the
> >>>>contents.
> >>>
> >>>
> >>>That depends. It's impossible to get some protocols (non-PASV FTP being the
> >>>most notable) working without modifying the payload. Yes, this is prone to
> >>>error - consider what happens to the size of the packet if the client
> >>>address is 1.2.3.4 and the NATted address is 111.122.133.144. Now consider
> >>>what happens if the payload was already of size (MTU-40)...
> >>>
> >>
> >>That's not a nice exercise to leave to the reader.  :-)
> >>Though my guess is
> >>
> >>MTU - 40 = MTU - Envelope
> >>
> >>then in the envelope 1.2.3.4 would be 00000001 00000010 00000011 00000100
> >>          and 111.122.133.144 would be 01101111 01111010 10000101 10010000
> >>
> >>in that case the envelope does not change size.
> > 
> > 
> > It would be, apart from the fact that FTP uses ASCII when sending PORT
> > commands... suddenly your packet is 4x2=8 bytes longer than it was. But the
> > packet was already at maximum MTU size! Yow!
> > 
> 
> But surely the port "command" is not part of the envelope but is in body.

Sorry, missed that. But... in re-writing the ASCII PORT command in the
payload, tha payload has grown by 8 bytes, thus taking the total packet size
over the MTU size. The NAT device now needs to fragment the packet and
recalculate checksums without either side being made aware of what it's up
to.

Early-ish versions of a certain proprietary firewall product couldn't cope
when asked to do this.

> Tom.

Alex.
-- 
Alex Butcher        Brainbench MVP for Internet Security: www.brainbench.com
Bristol, UK                        Need reliable and secure network systems?
PGP/GnuPG ID:0x271fd950                           <http://www.assursys.com/>



More information about the Sclug mailing list