[Dshield] A perplexing question

Joshua Krage jkrage at buser.net
Wed Mar 14 23:18:30 GMT 2001

On Wed, Mar 14, 2001 at 12:13:52PM +0100, John Kimbler wrote:
> Does a Gauntlet (or any) firewall change the MTU values that are negotiated
> when a client behind a firewall connects to a destination that is on the

Depends on the firewall.

Filtering firewalls ala PIX, Checkpoint, IPchains, etc. usually just relay
the packet.  No changes.  You have a 1 to 1 correspondence of input packets
to output packets.  So MTUs would be expected to remain constant.  Path
MTU discovery will work unless filtered.

Proxy firewalls ala Raptor and Gauntlet relay the /data/, not the packet.
They use entirely new packets on the outgoing side of the transmission.
You might not have a 1 to 1 correspondence of input to output packets.
The MTU of the outgoing packet will be set as the firewall's OS chooses,
usually the default for the network type.  Path MTU discovery will fail
unless explicitly enabled (not recommended here).

It is theoretically possible, depending on how the proxy code is written,
for a proxy firewall on two networks with widely varying MTUs to
consolidate multiple packets from the lower-MTU network into a single
packet on the larger MTU network.

More information about the list mailing list