Today, a technical challenge about the behavior of Juniper SRX firewalls. I’m curious to hear your opinions on this, but no cheating and labbing it up, because I want to hear what you think should happen (and, if different, what you think will happen).
In the next post I’ll talk about the answer.
Imagine that I have a Juniper SRX high end firewall protecting my network. My DMZ is composed of multiple public networks hanging off a router behind the firewall. Internal links all use RFC1918 addressing:
Ok? So traffic coming from the Internet (Host1) to hit one of my DMZ servers (Host2) will pass through the firewall which (rules permitting) will forward traffic to the router to which the DMZ subnets are attached.
Imagine that one of the DMZ networks (for whatever reason) has a smaller than normal MTU configured on the router interface, so when traffic is sent to this server from the Internet using the usual maximum frame size, then there’s a good chance that the packet cannot be transmitted to the DMZ host (Host2), and my Router will need to generate a “Fragmentation Needed but DF-bit set” ICMP message (Type3/Code4) to let the sending host (Host1) know that there was a problem sending that particular frame onward towards the destination.
Who would choose to set the DF (Do not Fragment) bit? Well, any client running Path MTU Discovery (PMTUD), so quite a few of them in fact. Once the client receives a ICMP Type3/4 from a device along the traffic path, it can adjust the maximum packet size it will try to send to that destination to fit the available MTU; and that’s PMTUD. Without the ICMP message, traffic simply black holes (it is dropped by the Router with the MTU problem) and the sender has no idea what’s going on, and will try to retransmit as if the packet were lost. Needless to say, the retransmission is also lost.
When the Router sends back an ICMP Type3/Code4 to Host1, the sender of the packet that it cannot transmit, what will the source IP of the ICMP packet be as seen when received by Host1? You may assume that the firewall is configured with a policy to NAT RFC1918 traffic outbound to the Internet.
Think carefully, and please let me know what you conclude. Results soon!