ALF: Application Layer Fixup

I was talking about “application-layer gateways” on firewalls and NAT boxes with a fellow engineer, and we came to an interesting conclusion: in most cases they are not gateways; they don’t add any significant functionality apart for payload fixups for those broken applications that think carrying network endpoint information in application packets is a good idea (I’m looking at you, SIP and FTP). These things should thus be called Application Layer Fixups or ALFs ;)


  1. Do ALFs like to eat CATs (Complex Application Transactions)
    1. Made my day (just what I needed sitting at Las Vegas airport waiting for a delayed flight).

      Thanks a million!
  2. My one experience with 'fix'ups was on a Cisco ASA doing remote user vpn.. When I installed it I never disabled the default inspection stuff (What harm could they do?).

    Much later, after what should have been an uneventful update on some windows servers, no one could access email (MAPI) over the vpn. Turns out the update changed a default rpc port or something causing the ASA to think the traffic was malformed skinny packets, and drop it.

    1. I've had the same experience many times with nvr's using ports 2001 and 2002.

      There is also the legendary esmtp inspection which effectively destroys the protocol. More like esmtp f**kup
    2. I remember a similar issue with the server-side email filtering language SIEVE: in its early days, it used 2000/tcp by default, but later did move to 4190/tcp. 2000/tcp is still in use by legacy configurations, but later became assigned to Cisco's Skinny protocol. As a result, an ASA in place may accept the connection (client thinks "server accepts the tcp connection), the ASA doesn't read skinny protocol packets and hence closes the connection (clients thinks "server closed connection"). Of course, the SIEVE server doesn't ever see an incoming connection from that client - and so one can easily spend days debugging this.
Add comment