Thanks Tom!
The MTU setting was indeed the culprit. It was set to 1492 by default on
that NIC, and old 3Com 3C905 card. I added a 'mtu 1500' to the
/etc/network/interfaces file for eth1, and the problem went away. Nice
catch. Thanks for your help on this!
Greg
On 8/18/07, Tom Eastep <[EMAIL PROTECTED]> wrote:
>
> On Sat, 2007-08-18 at 11:24 -0500, Brad Bendily wrote:
> > On 8/17/07, Greg Gowins <[EMAIL PROTECTED]> wrote:
> > >
> > > No, the clients that can't connect do not have any mention of ECN
> > > (explicit congestion notification) in the Wireshark traces.
> >
> > Have you tried to give a problem machine the IP of a working machine?
> > To narrow down whether it's in the firewall or the workstation?
>
> I rather doubt that it is IP-address related. The firewall ruleset
> treats the working and non-working addresses identically.
>
> In my experience, problems that affect some web sites but not others are
> either ECN- or Path MTU- related. Since we've ruled out ECN, I think
> that the problem has to do with the ersatz MTU (1492) on eth1. I suspect
> that replacing CLAMPMSS=Yes with CLAMPMSS=1452 (or lower) in
> shorewall.conf would correct the problem (as would configuring eth1 and
> all of the hosts on that LAN with the same MTU).
>
> MTU-related problems occur because complete idiots sometime masquerade
> as network administrators. These fools somehow believe that all ICMP
> packets are evil and must be prevented at any cost from passing through
> the routers that they administer. In so doing, they break path MTU
> discovery and cause grief for the rest of us. The Netfilter TCPMSS
> target (which CLAMPMSS uses) is netfilter's tool for working around the
> effects of these administrators' stupidity.
>
> CLAMPMSS=Yes works well if the outgoing interface's MTU is smaller than
> the local LAN's. In this case, however, it is the local interface that
> has the smaller MTU so CLAMPMSS=<mss> is the proper solution. The value
> is calculated as the smallest MTU in the client<->server path minus 40;
> hence, I recommended CLAMPMSS=1452.
>
> A word of warning. Greg is running Shorewall 3.0.4. In that version (in
> fact, in all versions up to 4.0.2), Setting CLAMPMSS=<mss> could
> actually *increase* the MSS setting in a packet.
>
> -Tom
> --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ [EMAIL PROTECTED]
> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
