Hi, I have a problem which I do not believe is directly related to Shorewall, but which Shorewall may be able to help me circumvent. I administer a small office network which makes abundant use of an online application. Recently, the servers which host that application have converted to linux. And it is after this conversion that I have begun to experience problems. My network has around 30 workstations behind a linux box running CentOS4 and Shorewall 3.2.2. Most of the workstations are running Fedora Core 5, but there are also several WinXP boxes. The firewall is doing SNAT for the network, using a single external ip address (the address of the firewall''s external interface). If there are open connections to the web server (ports 80 and 443) at 207.41.18.59 (ecf.moeb.uscourts.gov) through the firewall, some of the linux clients can no longer connect to the site -- the firewall shows these connections in a "SYN_SENT" state. But some of the clients may connect -- it is not possible to predict who can and who can''t. If there are no connections currently, any client machine can connect to the site. But as soon as a connection is established, other linux clients start getting stuck (court site is unresponsive, firewall shows SYN_SENT, even while the court site is responding to other connections). Here''s the strange part: the local WinXP clients can always connect without any problems! The problem only occurs with this site; client machines can simultaneously connect to other sites without any issues. It''s as though the remote server, or some router in between, is dropping SYN packets from my network''s external ip which are not part of an established connection -- unless those SYN packets came from a Windows host! I am guessing that there may be some TCP option enabled on my linux client machines which is triggering the problem, but I''m not sure what to try. If I add ip addresses and aliases, so that Shorewall uses a pool of external ip addresses for SNAT, the problem is alleviated, until the ip addresses are exhausted and outgoing connections start doubling up. I have replicated this problem on a separate network, using a Cisco PIX firewall, and connecting to the same application on a different server -- linux clients have trouble, Windows clients connect every time. I have tried setting CLAMPMSS=Yes with no change. The office administering the application says there is no connection limiting going on on their end. Any ideas? I am attaching a "shorewall dump" with some clients connected, and others stuck at SYN_SENT (this is with three external ip addresses for SNAT). Thanks for any suggestions you can offer -- I''ve been scratchin'' my head over this one for a while.... Bill ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Bill Guelker wrote:> > > Any ideas? I am attaching a "shorewall dump" with some clients > connected, and others stuck at SYN_SENT (this is with three external > ip addresses for SNAT). Thanks for any suggestions you can offer -- > I''ve been scratchin'' my head over this one for a while...Try adding an entry for 207.41.18.59 to /etc/shorewall/ecn. . -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On 8/31/06, Tom Eastep <teastep@shorewall.net> wrote:> Try adding an entry for 207.41.18.59 to /etc/shorewall/ecn. > . > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.keyThanks for the replies! I tried this. With this entry in /etc/shorewall/ecn, nothing behind the firewall can connect to the site at all (2.6 kernel issue?). ECN is not enabled on my linux clients. I tried enabling it -- doesn''t seem to make any difference. Bill ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Bill Guelker wrote:> > Thanks for the replies! I tried this. With this entry in > /etc/shorewall/ecn, nothing behind the firewall can connect to the > site at all (2.6 kernel issue?).It''s probably broken again with the same problem that it had back ini 2.4.20. The ECN flags are being cleared but the checksum isn''t being recalculated. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On 9/1/06, Tom Eastep <teastep@shorewall.net> wrote:> Bill Guelker wrote: > > > > Thanks for the replies! I tried this. With this entry in > > /etc/shorewall/ecn, nothing behind the firewall can connect to the > > site at all (2.6 kernel issue?). > > It''s probably broken again with the same problem that it had back ini > 2.4.20. The ECN flags are being cleared but the checksum isn''t being > recalculated. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >That would explain why things break if I add this entry on the firewall -- but if ECN is disabled on all of the clients (net.ipv4.tcp_ecn = 0), this is unlikely to be the cause of my problem, I think, unless I''m misunderstanding something. Thanks again, Bill ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Bill Guelker wrote:> On 9/1/06, Tom Eastep <teastep@shorewall.net> wrote: >> Bill Guelker wrote: >>> Thanks for the replies! I tried this. With this entry in >>> /etc/shorewall/ecn, nothing behind the firewall can connect to the >>> site at all (2.6 kernel issue?). >> It''s probably broken again with the same problem that it had back ini >> 2.4.20. The ECN flags are being cleared but the checksum isn''t being >> recalculated. >> >> -Tom >> -- >> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >> Shoreline, \ http://shorewall.net >> Washington USA \ teastep@shorewall.net >> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >> > > That would explain why things break if I add this entry on the > firewall -- but if ECN is disabled on all of the clients > (net.ipv4.tcp_ecn = 0), this is unlikely to be the cause of my > problem, I think, unless I''m misunderstanding something. >I agree that ECN seems to be unrelated to your problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
It appears that the problem is caused by TCP timestamps. Disabling TCP timestamps on the linux clients appears to solve my problem. I don''t really understand why -- I suppose some device between my network and the other site is "validating" these in some way and dropping packets based on criteria which will probably remain inscrutable.... Thanks for your help, and thanks for Shorewall! Bill On 9/1/06, Tom Eastep <teastep@shorewall.net> wrote:> Bill Guelker wrote: > > On 9/1/06, Tom Eastep <teastep@shorewall.net> wrote: > >> Bill Guelker wrote: > >>> Thanks for the replies! I tried this. With this entry in > >>> /etc/shorewall/ecn, nothing behind the firewall can connect to the > >>> site at all (2.6 kernel issue?). > >> It''s probably broken again with the same problem that it had back ini > >> 2.4.20. The ECN flags are being cleared but the checksum isn''t being > >> recalculated. > >> > >> -Tom > >> -- > >> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > >> Shoreline, \ http://shorewall.net > >> Washington USA \ teastep@shorewall.net > >> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > >> > > > > That would explain why things break if I add this entry on the > > firewall -- but if ECN is disabled on all of the clients > > (net.ipv4.tcp_ecn = 0), this is unlikely to be the cause of my > > problem, I think, unless I''m misunderstanding something. > > > > I agree that ECN seems to be unrelated to your problem. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > >------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Bill Guelker wrote:> It appears that the problem is caused by TCP timestamps. > > Thanks for your help, and thanks for Shorewall!You''re welcome. Glad to hear that you were able to solve your problem -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642