<?xml version="1.0" encoding="iso-8859-1" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>How do Firewalls handle 'Content-Encoding:'?</title> <meta name="author" content="Michael Schröpl" /> <meta name="description" content="A description of the behaviour of some firewalls regarding compressed page contents" /> <meta name="keywords" content="firewall, HTTP, encoding, gzip, compression" /> <style type="text/css"> body{font-family:sans-serif;margin:0px 30px 0px 30px;} h1{font-size:22px;margin-top:20px;} h2{font-size:18px;margin-top:14px;} small{font-size:80%;} td{vertical-align:top;} tt{font-weight:bold;} code,tt{font-family:"Courier New",monospace;} h1,h2{margin-bottom:1px;} p,td{margin-top:3px;margin-bottom:3px;} p,ul,ol,li{font-size:17px;line-height:22px;} ul,ol,li{margin-top:0px;margin-bottom:0px;} img{border-width:0;} #nav{position:absolute;top:30px;left:0px;font-size:14px;width:170px;font-weight:bold;margin:2px 2px 2px 30px;} #nav[id]{position:fixed;} #nav img{margin:5px;} #nav p, #nav a:hover, #nav a{display:block;padding:3px;margin:2px;width:150px;font-size:15px;line-height:18px;} #content{position:absolute;left:220px;right:30px;} #mail{text-align:right;} #icon{width:190px;float:left;} #mail,#icon{margin-top:30px;} @media screen { body{color:#000;background-color:#f8ebd9;} h1{color:#666;} h2{color:#840;} code{color:#333;} em{color:#900;} tt{color:#909;} h1,h2,code,em,tt{background-color:inherit;} .new13192a{color:#inherit;background-color:#ffd;} .new13261a{color:#inherit;background-color:#eff;} .bugfix{color:#fff;background-color:#f00;font-weight:bold;padding:0px 4px;} #nav a{color:#530;background-color:transparent;} #nav a{text-decoration:none;} #nav p, #nav a:hover{color:#000;background-color:#fff;} #nav p {border:1px #660 solid;} #nav a {border:1px #666 dotted;} } @media print { #icon,#nav{display:none;} #content{position:absolute;left:0px;right:0px;} } </style> </head> <body> <div id="nav"> <img src="mod_gzip_logo.gif" height="47" width="102" alt="mod_gzip logo" /> <a title="mod_gzip - what's that, anyway?" href="index.htm">mod_gzip</a> <a title="Compression of HTTP content using Content-Encoding" href="encoding.htm">Content-Encoding</a> <a title="Which browsers can handle 'Content-Encoding: gzip'?" href="browser.htm">Browsers</a> <p>Firewalls</p> <a title="An example configuration for mod_gzip" href="config.htm">Configuration</a> <a title="Complete description of mod_gzip status codes" href="status.htm">Status Codes</a> <a title="Possible enhancements in future versions of mod_gzip" href="enhancements.htm">Enhancements</a> <a title="Caching of negotiated HTTP responses" href="cache.htm">Caching</a> <a title="Version history and change log for mod_gzip" href="versions.htm">Versions</a> <a title="Other ressources about mod_gzip" href="links.htm">Links</a> </div> <div id="content"> <h1>How do Firewalls handle <code>Content-Encoding: gzip</code> ?</h1> <h2><a id="task"></a>Tasks of a firewall</h2> <p>One of the tasks of a firewall - whether company firewall or personal firewall on a client computer - is to remove 'dangerous' or 'unwanted' contents from received data.</p> <p>This implies that the firewall <em>understands</em> this content.</p> <p>Of course a correctly working firewall could just understand and unzip compressed content - as the procedure to be used is explicitly named inside the <code>Content-Encoding</code> HTTP header of the response.</p> <h2><a id="easyway"></a>The 'easy way out'</h2> <p>But some firewalls aren't just capable of doing so. As they still try to fulfill their task, they do something very unwanted: They just remove the <code>Accept-Encoding</code> header from the request to be sent!</p> <p>By this no correctly working server will try to send encoded data now ... that's not really what we wanted because the transfer speed may potentially suffer massively from this.</p> <p><em>Very stupid</em> Firewalls, like <strong>Zone Alarm</strong>, simply overwrite the <code>Accept-Encoding</code> header with arbitrary characters, like <code>Xxxxxx-Xxxxxxx: xxxx, xxxxxxx</code>. This will save them from sending the modified request packet in parts - they just throw the whole buffer to the communication line, as its length just hasn't changed.</p> <p><em>A little less stupid</em> firewalls, like <strong>Cequrux</strong> from Version 4.1.8, read the HTTP header line by line and completely remove the <code>Accept-Encoding</code> line. Nevertheless this is just as annoying.</p> <h2><a id="recognize"></a>How can I recognize this type of behaviour</h2> <p>At least the user of a firewall has the opportunity to send some request to a <a href="http://www.schroepl.net/cgi-bin/http_trace.pl"><img class="linkicon" height="15" width="16" alt="arrow" title="external" src="extern.gif" />program</a> of his choice in the WWW and let it display the HTTP headers it received - so that at the user least knows what he got involved in ...</p> <div id="icon"> <a href="http://validator.w3.org/check/referer"><img alt="" title="valid XHTML 1.1" height="31" width="88" src="valid-xhtml11.png" /></a><a href="http://jigsaw.w3.org/css-validator/check/referer"><img alt="" title="valid CSS" height="31" width="88" src="valid-css.png" /></a> </div> <p id="mail">(<a href="mailto:michael.schroepl@gmx.de?subject=mod_gzip">Michael Schröpl</a>, 2002-08-30)</p> </div> </body> </html>