Re: web sites not accessible
In epistula a "Gustavo Rios" <[EMAIL PROTECTED]> die horaque Sun, 11 Feb 2007 21:08:08 -0200: > Dear gentelmen/madams, > > i would like to thank you all for you suggestion. They were to the > point. Now, one doubt raised up in regards to man 4 pppoe and the > link suggested below. > > In theory, what should it be the maximum MSS over a PPPoE interface; > 1452 or 1454 ? > > Thanks once more. hi, see the article. it explains fairly well that it depends on the network _behind_, mostly ATM, which works based on so-called cells. if your paket fits in N cells without using an additional cell only partly, it's perfect. HTH, timo > On 2/11/07, Timo Schoeler <[EMAIL PROTECTED]> wrote: > > In epistula a "Gustavo Rios" <[EMAIL PROTECTED]> die horaque > > Sun, 11 Feb 2007 12:55:14 -0200: > > > > > Thanks, but i am using kernel pppoe! How can it be changed? > > > > > > > > might be of help > > > > http://www.mynetwatchman.com/kb/adsl/pppoemtu.htm > > > > > > > > HTH, > > > > timo > > > > > On 2/11/07, Paul D. Ouderkirk <[EMAIL PROTECTED]> wrote: > > > > >On 2/10/07, Gustavo Rios <[EMAIL PROTECTED]> wrote: > > > > > Dear list members, > > > > > > > > > > i am trying to build a firewall. Up to now, everything is ok, > > > > > except for some http sites that cannot be shown. > > > > > > > > > ... > > > > > > > > > > I can ping world outside my private network, as also telnet, > > > > > ssh, etc ... > > > > > > > > > > > > > This may be a long-shot, but I once had similar symptoms on a > > > > network with a PPPoE DSL connection. Everything would work as I > > > > expected, but certain web sites would just never load. > > > > > > > > Try lowering the MTU on the PPPoE interface, it worked for me. > > > > > > > > In /etc/ppp/ppp.conf: > > > > > > > > set mtu max 1480 > > > > > > > > Try setting various values starting at 1480 and lowering the > > > > value until the web page problem is fixed. > > > > > > > > -- > > > > -- > > > > Paul D. Ouderkirk > > > > Senior UNIX System Administrator > > > > JadedPixel Technologies > > > > [EMAIL PROTECTED] > > > > -- > > > > laughing, > > > > in the mechanism > > > > -- William Gibson
Re: web sites not accessible
Dear gentelmen/madams, i would like to thank you all for you suggestion. They were to the point. Now, one doubt raised up in regards to man 4 pppoe and the link suggested below. In theory, what should it be the maximum MSS over a PPPoE interface; 1452 or 1454 ? Thanks once more. On 2/11/07, Timo Schoeler <[EMAIL PROTECTED]> wrote: In epistula a "Gustavo Rios" <[EMAIL PROTECTED]> die horaque Sun, 11 Feb 2007 12:55:14 -0200: > Thanks, but i am using kernel pppoe! How can it be changed? might be of help http://www.mynetwatchman.com/kb/adsl/pppoemtu.htm HTH, timo > On 2/11/07, Paul D. Ouderkirk <[EMAIL PROTECTED]> wrote: > > >On 2/10/07, Gustavo Rios <[EMAIL PROTECTED]> wrote: > > > Dear list members, > > > > > > i am trying to build a firewall. Up to now, everything is ok, > > > except for some http sites that cannot be shown. > > > > > ... > > > > > > I can ping world outside my private network, as also telnet, ssh, > > > etc ... > > > > > > > This may be a long-shot, but I once had similar symptoms on a > > network with a PPPoE DSL connection. Everything would work as I > > expected, but certain web sites would just never load. > > > > Try lowering the MTU on the PPPoE interface, it worked for me. > > > > In /etc/ppp/ppp.conf: > > > > set mtu max 1480 > > > > Try setting various values starting at 1480 and lowering the value > > until the web page problem is fixed. > > > > -- > > -- > > Paul D. Ouderkirk > > Senior UNIX System Administrator > > JadedPixel Technologies > > [EMAIL PROTECTED] > > -- > > laughing, > > in the mechanism > > -- William Gibson
Re: web sites not accessible
In epistula a "Gustavo Rios" <[EMAIL PROTECTED]> die horaque Sun, 11 Feb 2007 12:55:14 -0200: > Thanks, but i am using kernel pppoe! How can it be changed? might be of help http://www.mynetwatchman.com/kb/adsl/pppoemtu.htm HTH, timo > On 2/11/07, Paul D. Ouderkirk <[EMAIL PROTECTED]> wrote: > > >On 2/10/07, Gustavo Rios <[EMAIL PROTECTED]> wrote: > > > Dear list members, > > > > > > i am trying to build a firewall. Up to now, everything is ok, > > > except for some http sites that cannot be shown. > > > > > ... > > > > > > I can ping world outside my private network, as also telnet, ssh, > > > etc ... > > > > > > > This may be a long-shot, but I once had similar symptoms on a > > network with a PPPoE DSL connection. Everything would work as I > > expected, but certain web sites would just never load. > > > > Try lowering the MTU on the PPPoE interface, it worked for me. > > > > In /etc/ppp/ppp.conf: > > > > set mtu max 1480 > > > > Try setting various values starting at 1480 and lowering the value > > until the web page problem is fixed. > > > > -- > > -- > > Paul D. Ouderkirk > > Senior UNIX System Administrator > > JadedPixel Technologies > > [EMAIL PROTECTED] > > -- > > laughing, > > in the mechanism > > -- William Gibson
Re: web sites not accessible
Gustavo Rios([EMAIL PROTECTED]) on 2007.02.11 12:55:14 +: > Thanks, but i am using kernel pppoe! How can it be changed? see the manpage pppoe(4) in section "MTU/MSS ISSUES" /Benno -- Sebastian Benoit <[EMAIL PROTECTED]>
Re: web sites not accessible
On 2/11/07, Gustavo Rios <[EMAIL PROTECTED]> wrote: Thanks, but i am using kernel pppoe! How can it be changed? In that case, check man 4 pppoe in the section labelled "MTU/MSS ISSUES" Paul. -- -- Paul D. Ouderkirk Senior UNIX System Administrator JadedPixel Technologies [EMAIL PROTECTED] -- laughing, in the mechanism -- William Gibson
Re: web sites not accessible
Thanks, but i am using kernel pppoe! How can it be changed? On 2/11/07, Paul D. Ouderkirk <[EMAIL PROTECTED]> wrote: >On 2/10/07, Gustavo Rios <[EMAIL PROTECTED]> wrote: > Dear list members, > > i am trying to build a firewall. Up to now, everything is ok, except > for some http sites that cannot be shown. > ... > > I can ping world outside my private network, as also telnet, ssh, etc ... > This may be a long-shot, but I once had similar symptoms on a network with a PPPoE DSL connection. Everything would work as I expected, but certain web sites would just never load. Try lowering the MTU on the PPPoE interface, it worked for me. In /etc/ppp/ppp.conf: set mtu max 1480 Try setting various values starting at 1480 and lowering the value until the web page problem is fixed. -- -- Paul D. Ouderkirk Senior UNIX System Administrator JadedPixel Technologies [EMAIL PROTECTED] -- laughing, in the mechanism -- William Gibson
Re: web sites not accessible
On 2/10/07, Gustavo Rios <[EMAIL PROTECTED]> wrote: Dear list members, i am trying to build a firewall. Up to now, everything is ok, except for some http sites that cannot be shown. ... I can ping world outside my private network, as also telnet, ssh, etc ... This may be a long-shot, but I once had similar symptoms on a network with a PPPoE DSL connection. Everything would work as I expected, but certain web sites would just never load. Try lowering the MTU on the PPPoE interface, it worked for me. In /etc/ppp/ppp.conf: set mtu max 1480 Try setting various values starting at 1480 and lowering the value until the web page problem is fixed. -- -- Paul D. Ouderkirk Senior UNIX System Administrator JadedPixel Technologies [EMAIL PROTECTED] -- laughing, in the mechanism -- William Gibson
web sites not accessible
Dear list members,
i am trying to build a firewall. Up to now, everything is ok, except
for some http sites that cannot be shown.
I am really having a hard time trying to figure it out what is happening !
I believe something is wrong between rule 7 to 10 ( i am on network
defined by interface sis1).
I can ping world outside my private network, as also telnet, ssh, etc ...
I can access everything from inside the firewall itself. The problem
is that some web sites does not appear when accessing from the local
desktop, the scenario is the following:
access from access to status
firewall ok
desktopwww.unix.org nothing appears
desktopwww.gmail.com ok
Does anybody have any ideia about what is wrong (again, ssh, telnet,
ntp access from wihtin dekstop is 100% ok, only some web sites)
here goes my firewall rules:
#
# Macros
#
IIF_0 = "sis0"
IIF_1 = "sis1"
IIF_2 = "sis2"
EIF = "pppoe0"
#
# Tables
#
table persist const { 127/8 255/8 0/8 }
table persist const { 10/8 172.16/12 192.168/16 }
table persist const { 224/4 }
table persist { 10/8 172.16/12 192.168/16 !10/25
!10.0.0.128/26 !10.0.0.192/26 }
table persist
table persist { 10/25 10.0.0.128/26 10.0.0.192/26 }
#
#
# Options
#
#
set loginterface $EIF
set skip on lo0
set debug misc
set state-policy if-bound
set block-policy return
###
#
# Traffic Normalization
#
###
##
#
# Queueing
#
##
#
#
# Translation (first match wins). Only appliable if $EIF is a public address.
#
#
no nat on $EIF from { ($IIF_0) ($IIF_1) ($IIF_2) }
nat on $EIF from ($IIF_0:network) to ! tag NAT -> ($EIF)
nat on $EIF from ($IIF_1:network) to ! tag NAT -> ($EIF)
nat on $EIF from ($IIF_2:network) to ! tag NAT -> ($EIF)
##
#
# Packet Filtering (last match wins)
#
##
# let's block everything by default
block log all
# everything may come in and out the host itself (two rules per interface)
pass in log on $IIF_0 from ($IIF_0:network) to ($IIF_0) flags S/SA keep state
pass out log on $IIF_0 from ($IIF_0) to ($IIF_0:network) flags S/SA keep state
pass in log on $IIF_1 from ($IIF_1:network) to ($IIF_1) flags S/SA keep state
pass out log on $IIF_1 from ($IIF_1) to ($IIF_1:network) flags S/SA keep state
pass in log on $IIF_2 from ($IIF_2:network) to ($IIF_2) flags S/SA keep state
pass out log on $IIF_2 from ($IIF_2) to ($IIF_2:network) flags S/SA keep state
pass in log on $EIF to ($EIF) flags S/SA keep state
pass out log on $EIF from ($EIF) flags S/SA keep state ! tagged NAT
# allowed traffic configuration goes here
pass out log on $EIF from ($EIF) flags S/SA keep state tagged NAT
pass in log on $IIF_1 flags S/SA keep state
# default on each internal interface (private address)
block in log on $IIF_0 from { ($IIF_0) ($IIF_0:broadcast) !($IIF_0:network) }
block in log on !$IIF_0 to ($IIF_0:broadcast)
block in log on $IIF_0 to
#block in log on $IIF_0 proto ! udp to
block in log on $IIF_1 from { ($IIF_1) ($IIF_1:broadcast) !($IIF_1:network) }
block in log on !$IIF_1 to ($IIF_1:broadcast)
block in log on $IIF_1 to
#block in log on $IIF_1 proto ! udp to
block in log on $IIF_2 from { ($IIF_2) ($IIF_2:broadcast) !($IIF_2:network) }
block in log on !$IIF_2 to ($IIF_2:broadcast)
block in log on $IIF_2 to
#block in log on $IIF_2 proto ! udp to
# default external interface (public address)
block in log on $EIF from ($EIF)
# additional rules
block in log on $EIF from {}
block in log on $EIF to ! tagged RDR
block in log on $EIF to { }
#block in log on $EIF proto ! udp to
