So shaver @
neon .
ingenia .
ca (Mike Shaver) spoke:
> The Linux 2.0 CONFIG_ALWAYS_DEFRAG stuff is designed to make the
> transparent proxy and NAT code more correct; otherwise, you can get
> things like PORT commands (which matter to the NAT stuff, obviously)
> split between 2 fragments.
>
> My recommendation is that the transparent proxy stuff is better than
> the NAT stuff (Darren? =) ), but it's not quite as plug-and-play.
Darren has not addressed this with his favourite point. So excuse me
if I make his point for him :-)
What he has repeatedly said is that TCP has no record boundaries, so
even if you always defragment (that obviously makes filtering easier),
you still may get the application data in pieces, i.e. in different
packets, for a number of reasons, some of them accidental, some of
them intentional. You still might get the PORT command in several
pieces.
So unless the packet level thing (whether it is for filtering or NAT)
is also messing with the TCP engine, you are better off with a proxy.
It will always work.
Julio
Julio Sanchez, SGI Soluciones Globales Internet
Tel: (91) 804 28 37 Fax: (91) 804 14 05 WWW: http://www.esegi.es
jsanchez @
esegi .
es jsanchez @
gmv .
es
PGP Key fingerprint = E5 29 93 6F 41 4E 00 E2 90 11 A1 8C 72 D0 DE 71
Follow-Ups:
References:
|
|
