Francois Gouget <[EMAIL PROTECTED]> writes: > On Mon, 7 May 2001, Michel Decima wrote: > > > Hello everybody > > > > I'm using a linux box with netfilter to masquerade my home LAN > > and I have (very) strange behaviour whith some web sites: They > > are not reachable by the masqueraded workstation (but I can read > > them from the firewall). After the browser says 'connected to X' > > the connections stalls. I've checked the ECN feature, and it is > > not compiled in the kernel. > > This looks like an MTU problem. You may want to try to lower the > MTU on your workstation and see if it works better. > > I had the same problem here when I configured my desktop as a > firewall. I could access some web sites but not others, ftp dir > would work but not getting files, I could get some email but not > all. I read that it was because I use both pppoe and masquerading > (still ipchains here) because somewhere 8 bytes are added. Once I > set the MTU on the masqueraded machines to 1492 (or 1460) it worked > fine.
Alternatively, open up ICMP 3 both ways on your firewall. The ipchains way of doing this is: ipchains -A input -s any/0 3 -d $EXT_IP -i $EXT -p icmp -j ACCEPT ipchains -A output -s $EXT_IP 3 -d any/0 -i $EXT -p icmp -j ACCEPT where EXT_IP is your external IP address, EXT is the external ethernet device (eth0, eth1, whatever). This allows normal TCP mechanisms to reduce the MTU automatically. -- matt
