C. Ham wrote:
OK, I think I have success now.
A cautionary lesson for those jumping to blame Squid: just because you
can avoid the problem when you cut out Squid, it doesn't mean Squid is
necessarily to blame.
I finally noticed that all the sites which were giving problems had an
IP address starting with '77' which whilst a top year for music, was a
bad number for getting TCP connections past the first three packets.
I use a tweaked version of Firestarter to configure iptables and part of
the default Firestarter setup is to reject what it considers
non-routable packets, 192.168.0.0/24, 10.0.0.0/8, etc. For some reason
77.0.0.0/8 was in listed in the file /etc/firestarter/non-routables.
The reason why it seemed that there was two distinct problems affecting
wiki-squid-cache.org and uk.yahoo.com/mail was that wiki.squid-cache.org
seems to host most all its content on the one IP address, whereas Yahoo
mail grabs all manner of boring adverts, graphics, tracking bugs, etc,
from various different sources, some of which reside on servers within
77.0.0.0/8, eg. mail.yimg.com.
By cutting 77.0.0.0 from /etc/firestarter/non-routables all is now well.
Had I looked at /var/log/messages a bit harder I might have spotted this
earlier. Mind the fact that the default Firestarter configuration only
drops the packet after the 3-way handshake meant that it took a while
for things to show up as the Yahoo page had to go through a fair few
timeouts before it got through all the links to content residing on
servers under 77.0.0.0/8. I should likely let the Firestarter people
know about this.
Anyhow, thanks for everybodys' help and hope this points others in the
right direction.
Callum.
Well found.
The legacy bogon problem rears its head again.
You may need to check the ranges in non-routables' against
http://www.iana.org/assignments/ipv4-address-space
to make sure there are no others.
Also remember that 12+ of the unassigned /8 are allocated every year. So
checking ahead also for the unassigned non-reserved blocks might be a
good idea.
Amos
--
Please use Squid 2.6.STABLE19 or 3.0.STABLE4
