Author: Michael Schröpl

How do Firewalls handle Content-Encoding: gzip ?

Tasks of a firewall

One of the tasks of a firewall - whether company firewall or personal firewall on a client computer - is to remove 'dangerous' or 'unwanted' contents from received data.

This implies that the firewall understands this content.

Of course a correctly working firewall could just understand and unzip compressed content - as the procedure to be used is explicitly named inside the Content-Encoding HTTP header of the response.

The 'easy way out'

But some firewalls aren't just capable of doing so. As they still try to fulfill their task, they do something very unwanted: They just remove the Accept-Encoding header from the request to be sent!

By this no correctly working server will try to send encoded data now ... that's not really what we wanted because the transfer speed may potentially suffer massively from this.

Very stupid Firewalls, like Zone Alarm, simply overwrite the Accept-Encoding header with arbitrary characters, like Xxxxxx-Xxxxxxx: xxxx, xxxxxxx. This will save them from sending the modified request packet in parts - they just throw the whole buffer to the communication line, as its length just hasn't changed.

A little less stupid firewalls, like Cequrux from Version 4.1.8, read the HTTP header line by line and completely remove the Accept-Encoding line. Nevertheless this is just as annoying.

How can I recognize this type of behaviour

At least the user of a firewall has the opportunity to send some request to a program of his choice in the WWW and let it display the HTTP headers it received - so that at the user least knows what he got involved in ...