On Sat, 2007-08-18 at 11:24 -0500, Brad Bendily wrote: > On 8/17/07, Greg Gowins <[EMAIL PROTECTED]> wrote: > > > > No, the clients that can't connect do not have any mention of ECN > > (explicit congestion notification) in the Wireshark traces. > > Have you tried to give a problem machine the IP of a working machine? > To narrow down whether it's in the firewall or the workstation?
I rather doubt that it is IP-address related. The firewall ruleset treats the working and non-working addresses identically. In my experience, problems that affect some web sites but not others are either ECN- or Path MTU- related. Since we've ruled out ECN, I think that the problem has to do with the ersatz MTU (1492) on eth1. I suspect that replacing CLAMPMSS=Yes with CLAMPMSS=1452 (or lower) in shorewall.conf would correct the problem (as would configuring eth1 and all of the hosts on that LAN with the same MTU). MTU-related problems occur because complete idiots sometime masquerade as network administrators. These fools somehow believe that all ICMP packets are evil and must be prevented at any cost from passing through the routers that they administer. In so doing, they break path MTU discovery and cause grief for the rest of us. The Netfilter TCPMSS target (which CLAMPMSS uses) is netfilter's tool for working around the effects of these administrators' stupidity. CLAMPMSS=Yes works well if the outgoing interface's MTU is smaller than the local LAN's. In this case, however, it is the local interface that has the smaller MTU so CLAMPMSS=<mss> is the proper solution. The value is calculated as the smallest MTU in the client<->server path minus 40; hence, I recommended CLAMPMSS=1452. A word of warning. Greg is running Shorewall 3.0.4. In that version (in fact, in all versions up to 4.0.2), Setting CLAMPMSS=<mss> could actually *increase* the MSS setting in a packet. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
