URG means urgent as in emergency and is really only useful in long session protocols like telnet and FTP. Most often the protocol just needs the PUSH flag set, rather than URG. The main problem with URG is that it also entails extra data in the packet so, as was shown for a BSD stack, it requires special handling. A good proxy firewall will often handle the URG data itself since it is normally data for the session rather than the protocol (a control-C to a FTP download for example says terminate this part of the session). A proper proxy for the protocol will understand the protocol's use of urgent data and either absorb it without re-transmission or send a sanitised version to the host on the other side of the firewall. Since a proxy re-creates the session, there is no assumption that ANY TCP/IP flags will cross the firewall.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of kk downing Sent: Mon April 08 2002 10:57 To: Mikael Olsson; Paul D. Robertson Cc: [EMAIL PROTECTED] Subject: Re: Proxy vs stateful... oh no, not again :) (Was: Re: Migrationfrom Gauntlet 5 to Firewall-1) What is the problem with URG data? Doesn't URG have a perfectly legal place in TCP? If you stripped URG wouldn't that break telnet or some other interactive application? Am I missing something here? Thanks --- Mikael Olsson <[EMAIL PROTECTED]> wrote: > > "Paul D. Robertson" wrote: > > > > [on stateful inspection firewalls needing to know > about stuff > > that proxies don't] > > Ah, but the point still stands that the packet > filter has to know about > > some frag and other bugs (like URG)- and indeed > has to do things like > > "drop all packets with URG set" because there > might be one unpatched > > client (after the firewall's been updated) rather > than allow legitimate > > URG traffic after the firewall's been patched. > > (Or strip URG data, which is what a proxy usually > would be doing ;)) > > Isn't there an interesting flip-side to this? That > since the firewall > needs to know about all of this (it being properly > upgraded and > professionally administered and all), it can also > trigger alerts on > these events? > > (But on the other hand, the same can also be said > about IDSes with > external sensors, if this hypothetical organization > has paid for it?) > > > On Fri, 5 Apr 2002, Mikael Olsson wrote: > > > Please show me how to divide a corporate > network, with > > > multiple publically accessible servers with > different > > > security ratings, and with back-end servers > accessible > > > from said servers, into ... oh, let's say fifty > different > > > security zones, using any proxy firewall > available today. > > > > 4 Ultra2's with 3 QFEs each (yes, the U2 is EOL, > but that's how I used to > > build them.) Lots of PCs with Linux and open > source proxies. One box > > with lots of proxies and per-ruleset and > per-address block IP to proxy > > mappings. Alternately, IPSEC to the proxies. > That's if you want fair > > seperation, otherwise, just do it in the > rulebases. > > Are you telling me that you've actually set up and > successfully supported > installations like this? (With or without IPSEC to > the proxies?) > > Don't get me wrong; I'm just baffled and would truly > like to know. > > On another note: I think my original question was > more aimed at > commercially available stuff, although I didn't say > that - I know. Open > source is all well and good, given the standard set > of arguments, but > often you also trg gb or fpnerq fuvgyrff ol fbzr > crbcyr'f (ynpx bs) > pbqvat cenpgvprf. But then again, that's all IMHO > and very inflammatory, > hence the ebg13. > > > Regards, > Mikael Olsson > > PS. Yes I know, proxy vs state is a really old topic > and still very > inflammatory and we both know that a combo is the > best way to go. > However, I still think there are a couple of > interesting points left > to hash out. I'll try to stay away from evangelism > and flames if you > do the same, mkay? :) > > > -- > Mikael Olsson, Clavister AB > Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, > Sweden > Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 > 222 05 > Fax: +46 (0)660 122 50 WWW: > http://www.clavister.com > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
