On 4/17/12 9:44 AM, Bruce Edge wrote: > > > On Mon, Apr 16, 2012 at 3:26 PM, Tom Eastep <[email protected] > <mailto:[email protected]>> wrote: > > On 04/16/2012 03:21 PM, Bruce Edge wrote: > > > > > > On Mon, Apr 16, 2012 at 2:28 PM, Tom Eastep <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > > > On Apr 16, 2012, at 1:48 PM, Bruce Edge <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> > wrote: > > > >> Shorewall is, in general, working fine. Much better then ufw > imho. > >> > >> I have one single problem with one single web site on a 2 > >> interface fw. > >> > >> If I plug into my cable modem directly, this site works fine. > >> > >> I cannot access: https://www5.v1host.com/ from behind shorewall. > >> In fact, I can't get to it even from the fw itself. > >> > >> With the cable modem on eth0 of my fw, neither machines behind it > >> on eth1, or the fw itself can get this one specific web site. > > > > If you temporarily 'shorewall clear', can you access the site from > > the fw? (be sure to 'shorewall . > > start' after testing. > > > > Tom > > > > > > No, that's the part I don't understand. Even that doesn't work. > > > > Just to re-iterate for clarity, even after a "shorewall clear" I still > > cannot access that site from either the fw or any machines behind it. > > Then I'm afraid that your problem has nothing to do with your Shorewall > configuration. > > > Not surprisingly, you were right. > > Just to followup in case this helps anyone else, I fixed this by forcing > my MTU to 1500 on both interfaces. > No clue why I only saw this on one specific site.
A misconfigured router between you and that site is breaking path MTU discovery. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
