RE: OT: NOT Sonicwall Issue
- From: "John Tolmachoff \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 16 Sep 2003 11:47:36 -0700
> I've read the article but it doesn't explain why I can get to the https
> sites by taking the firewall out of the picture.
"Information to, from and across the Internet are sent in what are called
packets, or envelopes. These come in various sizes depending on the nature
of the request and amount of information. For example, a ping is a very
small packet size while a web page with lots of graphics and material will
use many (possible hundreds) of large packets to transport all the
information to you. Think of it as a difference between a post card and an
envelope that contains your tax returns. "
"Sometimes, the packet size is restricted by either a firewall, a router on
the Internet, or by one of the computers. Generally, the packet (MTU) size
is negotiated between the two computers involved and generally less than
1500. If the MTU size is not negotiated properly, routers and firewalls have
the ability to fragment the packets into smaller sizes that can then pass
correctly."
"However, in the case of some secure websites, the security software
installed sees that the packets have been fragmented or otherwise altered,
and take that as an indication that the information in the packet is
possibly malicious, and silently drops it. In the mean time, the requesting
computer is sitting there waiting and waiting, until it finally times itself
out. "
"This can also be caused be either a router, firewall or computer in the
path which is blocking ICMP Code3 Type 4 packets, which blocks the sending
computer or firewall from discovering the MTU path and/or size available."
I am sorry, but I do not have time to go in-depth for free on a public forum
how packets are created and fragmented and recreated and changed and altered
to satisfy the various elements including NICs and routers and firewalls and
hubs and switches that make up the big communication link we call the
Internet.
If you need detailed information, I would suggest picking up a good book on
TCP/IP that explains about packets and routing and MTU sizes.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
Other related posts:
