Shorewall users - Feb 2004 - client PC cannot access to somes internet site, but the router can

[This email is either empty or too large to be displayed at this time]

Since the body of your post didn''t survive, I can only guess that you
need to
set CLAMPMSS=Yes in shorewall.conf. If that doesn''t work, post again in
plain
text.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

I have recovered the text of Pierre''s original post.

It does sound like CLAMPMSS=Yes should correct his problem.
-------------------------------------------------------------------------

Hello,
 
I use shorewall for 2 years for a home network.
 
I have a router running with RedHat 9.0, connected to an adsl modem and 2 
client pc connected to the router.
 
All works fine, excepted that for some website like http://www.ing.be or 
http://www.ovidentia.org, the client pcs cannot access while the router can. 
If I try to browse one of these website, my browser (mozilla) just display 
"Waiting for ...". If I try from the router, it works.
 
I can ping the website from the router and from the client (www.ing.be
doesn''t
answer for security reason).
 
 Some additional info:
 [root@router root]# shorewall version
 1.4.10a
 [root@router root]# ip addr show
 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
     link/ether 52:54:05:f7:a5:62 brd ff:ff:ff:ff:ff:ff
 4: wlan0: <BROADCAST,MULTICAST,UP> mtu 576 qdisc pfifo_fast qlen 100
     link/ether 00:0d:88:8b:49:47 brd ff:ff:ff:ff:ff:ff
     inet 192.168.0.1/24 brd 192.168.0.255 scope global wlan0
 5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen
3
     link/ppp
     inet 62.235.117.52 peer 62.235.117.1/32 scope global ppp0
 [root@router root]# ip route show
 62.235.117.1 dev ppp0  proto kernel  scope link  src 62.235.117.52
 192.168.0.0/24 dev wlan0  proto kernel  scope link  src 192.168.0.1
 169.254.0.0/16 dev lo  scope link
 127.0.0.0/8 dev lo  scope link
 default via 62.235.117.1 dev ppp0
 
 I have also made a tcpdump on the router for a connection attempt from the 
router and another one from the client:
 from the router:
 17:06:59.062483 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be.1072 > 
ns1.worldonline.be.domain:  28530+ A? www.ing.be. (28) (DF)
 17:06:59.064857 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be.1073 > 
ns1.worldonline.be.domain:  35506+ PTR? 34.1.233.212.in-addr.arpa. (43) (DF)
 17:06:59.076781 PPPoE  [ses 0x2dd2] ns1.worldonline.be.domain > 
ppp-62-235-118-102.tiscali.be.1072:  28530 2/5/5 CNAME ing.be., (243) (DF)
 17:06:59.078145 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be.3198 > 
195.35.64.38.http: S 831714042:831714042(0) win 5808 <mss 
1412,sackOK,timestamp 11076405 0,nop,wscale 0> (DF)
 17:06:59.086614 PPPoE  [ses 0x2dd2] ns1.worldonline.be.domain > 
ppp-62-235-118-102.tiscali.be.1073:  35506* 1/2/2 (139) (DF)
 17:06:59.087530 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be.1073 > 
ns1.worldonline.be.domain:  35507+ PTR? 102.118.235.62.in-addr.arpa. (45) 
(DF)
 17:06:59.101034 PPPoE  [ses 0x2dd2] 195.35.64.38.http > 
ppp-62-235-118-102.tiscali.be.3198: S 3813634530:3813634530(0) ack 831714043 
win 16944 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK>
(DF)
 17:06:59.101414 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be.3198 > 
195.35.64.38.http: . ack 1 win 5808 <nop,nop,timestamp 11076407 0> (DF)
 17:06:59.104940 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be.3198 > 
195.35.64.38.http: P 1:616(615) ack 1 win 5808 <nop,nop,timestamp 11076408
0>
(DF)
 17:06:59.106713 PPPoE  [ses 0x2dd2] ns1.worldonline.be.domain > 
ppp-62-235-118-102.tiscali.be.1073:  35507 1/4/5 (259) (DF)
 17:06:59.109995 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be.1073 > 
ns1.worldonline.be.domain:  35508+ PTR? 38.64.35.195.in-addr.arpa. (43) (DF)
 17:06:59.184314 PPPoE  [ses 0x2dd2] 195.35.64.38.http > 
ppp-62-235-118-102.tiscali.be.3198: P 1:1103(1102) ack 616 win 16329 
<nop,nop,timestamp 58700896 11076408> (DF)
 17:06:59.184974 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be.3198 > 
195.35.64.38.http: . ack 1103 win 7714 <nop,nop,timestamp 11076416
58700896>
(DF)
 17:06:59.197516 PPPoE  [ses 0x2dd2] ns1.worldonline.be.domain > 
ppp-62-235-118-102.tiscali.be.1073:  35508 NXDomain* 0/1/0 (98) (DF)
 ...
 
 And from the client:
 17:11:01.899060 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be.33056 > 
195.35.64.38.http: S 4044467993:4044467993(0) win 5840 <mss 
1412,sackOK,timestamp 788702 0,nop,wscale 0> (DF)
 17:11:01.901237 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be.1076 > 
ns1.worldonline.be.domain:  51813+ PTR? 38.64.35.195.in-addr.arpa. (43) (DF)
 17:11:01.926265 PPPoE  [ses 0x2dd2] ns1.worldonline.be.domain > 
ppp-62-235-118-102.tiscali.be.1076:  51813 NXDomain* 0/1/0 (98) (DF)
 17:11:01.927189 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be.1076 > 
ns1.worldonline.be.domain:  51814+ PTR? 102.118.235.62.in-addr.arpa. (45) 
(DF)
 17:11:01.937124 PPPoE  [ses 0x2dd2] 195.35.64.38.http > 
ppp-62-235-118-102.tiscali.be.33056: S 3898190501:3898190501(0) ack 
4044467994 win 16944 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 
0,nop,nop,sackOK> (DF)
 17:11:01.939411 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be.33056 > 
195.35.64.38.http: . ack 1 win 5840 <nop,nop,timestamp 788706 0> (DF)
 17:11:01.946359 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be.33056 > 
195.35.64.38.http: P 1:724(723) ack 1 win 5840 <nop,nop,timestamp 788707
0>
(DF)
 17:11:01.947495 PPPoE  [ses 0x2dd2] ns1.worldonline.be.domain > 
ppp-62-235-118-102.tiscali.be.1076:  51814 1/4/5 (259) (DF)
 17:11:01.948283 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be.1076 > 
ns1.worldonline.be.domain:  51815+ PTR? 34.1.233.212.in-addr.arpa. (43) (DF)
 17:11:02.022473 PPPoE  [ses 0x2dd2] ns1.worldonline.be.domain > 
ppp-62-235-118-102.tiscali.be.1076:  51815* 1/2/2 (139) (DF)
 17:11:02.035682 PPPoE  [ses 0x2dd2] 195.35.64.38.http > 
ppp-62-235-118-102.tiscali.be.33056: P 1:1130(1129) ack 724 win 16221 
<nop,nop,timestamp 58703324 788707> (DF)
 17:11:02.036347 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be > 
195.35.64.38: icmp: ppp-62-235-118-102.tiscali.be unreachable - need to frag 
(mtu 576) [tos 0xc0]
 ...
 
 
 Thanks a lot for your help!
 Pierre
 
-----------------------------------------------------------------------------
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Thank you Tom for having recovered my message and for your suggestion.

Unfortunately, I have put CLAMPMSS to yes and restarted shorewall, but 
it didn''t fix the problem. However, I read in the shorewall.conf file 
that "The kernel must have CONFIG_IP_NF_TARGET_TCPMSS set". The router
runs with the 2.4.20-20.9 standard kernel from RedHat (not compiled).

One clue I didn''t gave is that the router is linked to the local
network
by a wireless connection: I have a wireless network card in the router 
and an access point on the local network. I suppose that doesn''t play 
any role in this issue, but if you suggest me, I can change that and try 
without the wireless connection (I have to change the network card in 
the router).

Best regards,
Pierre

Tom Eastep wrote:
>I have recovered the text of Pierre''s original post.
>
>It does sound like CLAMPMSS=Yes should correct his problem.
>-------------------------------------------------------------------------
>
>Hello,
> 
>I use shorewall for 2 years for a home network.
> 
>I have a router running with RedHat 9.0, connected to an adsl modem and 2 
>client pc connected to the router.
> 
>All works fine, excepted that for some website like http://www.ing.be or 
>http://www.ovidentia.org, the client pcs cannot access while the router can.
>If I try to browse one of these website, my browser (mozilla) just display 
>"Waiting for ...". If I try from the router, it works.
> 
>I can ping the website from the router and from the client (www.ing.be
doesn''t
>answer for security reason).
> 
> Some additional info:
> [root@router root]# shorewall version
> 1.4.10a
> [root@router root]# ip addr show
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 52:54:05:f7:a5:62 brd ff:ff:ff:ff:ff:ff
> 4: wlan0: <BROADCAST,MULTICAST,UP> mtu 576 qdisc pfifo_fast qlen 100
>     link/ether 00:0d:88:8b:49:47 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.0.1/24 brd 192.168.0.255 scope global wlan0
> 5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast
qlen 3
>     link/ppp
>     inet 62.235.117.52 peer 62.235.117.1/32 scope global ppp0
> [root@router root]# ip route show
> 62.235.117.1 dev ppp0  proto kernel  scope link  src 62.235.117.52
> 192.168.0.0/24 dev wlan0  proto kernel  scope link  src 192.168.0.1
> 169.254.0.0/16 dev lo  scope link
> 127.0.0.0/8 dev lo  scope link
> default via 62.235.117.1 dev ppp0
> 
> I have also made a tcpdump on the router for a connection attempt from the 
>router and another one from the client:
> from the router:
> 17:06:59.062483 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be.1072 >
>ns1.worldonline.be.domain:  28530+ A? www.ing.be. (28) (DF)
> 17:06:59.064857 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be.1073 >
>ns1.worldonline.be.domain:  35506+ PTR? 34.1.233.212.in-addr.arpa. (43) (DF)
> 17:06:59.076781 PPPoE  [ses 0x2dd2] ns1.worldonline.be.domain > 
>ppp-62-235-118-102.tiscali.be.1072:  28530 2/5/5 CNAME ing.be., (243) (DF)
> 17:06:59.078145 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be.3198 >
>195.35.64.38.http: S 831714042:831714042(0) win 5808 <mss 
>1412,sackOK,timestamp 11076405 0,nop,wscale 0> (DF)
> 17:06:59.086614 PPPoE  [ses 0x2dd2] ns1.worldonline.be.domain > 
>ppp-62-235-118-102.tiscali.be.1073:  35506* 1/2/2 (139) (DF)
> 17:06:59.087530 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be.1073 >
>ns1.worldonline.be.domain:  35507+ PTR? 102.118.235.62.in-addr.arpa. (45) 
>(DF)
> 17:06:59.101034 PPPoE  [ses 0x2dd2] 195.35.64.38.http > 
>ppp-62-235-118-102.tiscali.be.3198: S 3813634530:3813634530(0) ack 831714043
>win 16944 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK>
(DF)
> 17:06:59.101414 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be.3198 >
>195.35.64.38.http: . ack 1 win 5808 <nop,nop,timestamp 11076407 0>
(DF)
> 17:06:59.104940 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be.3198 >
>195.35.64.38.http: P 1:616(615) ack 1 win 5808 <nop,nop,timestamp
11076408 0>
>(DF)
> 17:06:59.106713 PPPoE  [ses 0x2dd2] ns1.worldonline.be.domain > 
>ppp-62-235-118-102.tiscali.be.1073:  35507 1/4/5 (259) (DF)
> 17:06:59.109995 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be.1073 >
>ns1.worldonline.be.domain:  35508+ PTR? 38.64.35.195.in-addr.arpa. (43) (DF)
> 17:06:59.184314 PPPoE  [ses 0x2dd2] 195.35.64.38.http > 
>ppp-62-235-118-102.tiscali.be.3198: P 1:1103(1102) ack 616 win 16329 
><nop,nop,timestamp 58700896 11076408> (DF)
> 17:06:59.184974 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be.3198 >
>195.35.64.38.http: . ack 1103 win 7714 <nop,nop,timestamp 11076416
58700896>
>(DF)
> 17:06:59.197516 PPPoE  [ses 0x2dd2] ns1.worldonline.be.domain > 
>ppp-62-235-118-102.tiscali.be.1073:  35508 NXDomain* 0/1/0 (98) (DF)
> ...
> 
> And from the client:
> 17:11:01.899060 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be.33056
>
>195.35.64.38.http: S 4044467993:4044467993(0) win 5840 <mss 
>1412,sackOK,timestamp 788702 0,nop,wscale 0> (DF)
> 17:11:01.901237 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be.1076 >
>ns1.worldonline.be.domain:  51813+ PTR? 38.64.35.195.in-addr.arpa. (43) (DF)
> 17:11:01.926265 PPPoE  [ses 0x2dd2] ns1.worldonline.be.domain > 
>ppp-62-235-118-102.tiscali.be.1076:  51813 NXDomain* 0/1/0 (98) (DF)
> 17:11:01.927189 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be.1076 >
>ns1.worldonline.be.domain:  51814+ PTR? 102.118.235.62.in-addr.arpa. (45) 
>(DF)
> 17:11:01.937124 PPPoE  [ses 0x2dd2] 195.35.64.38.http > 
>ppp-62-235-118-102.tiscali.be.33056: S 3898190501:3898190501(0) ack 
>4044467994 win 16944 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 
>0,nop,nop,sackOK> (DF)
> 17:11:01.939411 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be.33056
>
>195.35.64.38.http: . ack 1 win 5840 <nop,nop,timestamp 788706 0> (DF)
> 17:11:01.946359 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be.33056
>
>195.35.64.38.http: P 1:724(723) ack 1 win 5840 <nop,nop,timestamp 788707
0>
>(DF)
> 17:11:01.947495 PPPoE  [ses 0x2dd2] ns1.worldonline.be.domain > 
>ppp-62-235-118-102.tiscali.be.1076:  51814 1/4/5 (259) (DF)
> 17:11:01.948283 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be.1076 >
>ns1.worldonline.be.domain:  51815+ PTR? 34.1.233.212.in-addr.arpa. (43) (DF)
> 17:11:02.022473 PPPoE  [ses 0x2dd2] ns1.worldonline.be.domain > 
>ppp-62-235-118-102.tiscali.be.1076:  51815* 1/2/2 (139) (DF)
> 17:11:02.035682 PPPoE  [ses 0x2dd2] 195.35.64.38.http > 
>ppp-62-235-118-102.tiscali.be.33056: P 1:1130(1129) ack 724 win 16221 
><nop,nop,timestamp 58703324 788707> (DF)
> 17:11:02.036347 PPPoE  [ses 0x2dd2] ppp-62-235-118-102.tiscali.be > 
>195.35.64.38: icmp: ppp-62-235-118-102.tiscali.be unreachable - need to frag
>(mtu 576) [tos 0xc0]
> ...
> 
> 
> Thanks a lot for your help!
> Pierre
> 
>-----------------------------------------------------------------------------
>-Tom
>  
>

On Thursday 12 February 2004 01:29 am, Pierre van Male
wrote:
> Thank you Tom for having recovered my message and for your suggestion.
>
> Unfortunately, I have put CLAMPMSS to yes and restarted shorewall, but
> it didn''t fix the problem. However, I read in the shorewall.conf
file
> that "The kernel must have CONFIG_IP_NF_TARGET_TCPMSS set". The
router
> runs with the 2.4.20-20.9 standard kernel from RedHat (not compiled).
>
> One clue I didn''t gave is that the router is linked to the local
network
> by a wireless connection: I have a wireless network card in the router
> and an access point on the local network. I suppose that doesn''t
play
> any role in this issue, but if you suggest me, I can change that and try
> without the wireless connection (I have to change the network card in
> the router).
>
What output does "shorewall show FORWARD" produce?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Thursday 12 February 2004 07:44 am, Pierre van Male wrote:
> [root@router root]# shorewall show FORWARD
> Shorewall-1.4.10a Chain FORWARD at router - Thu Feb 12 16:41:50 CET 2004
> 
> Counters reset Thu Feb 12 11:06:10 CET 2004
> 
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               
>  destination 
>     0     0 DROP      !icmp --  *      *       0.0.0.0/0            
>     0.0.0.0/0          state INVALID 
>   235 13924 TCPMSS     tcp  --  *      *       0.0.0.0/0            
>   0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
> 4204K 2371M ppp0_fwd   all  --  ppp0   *       0.0.0.0/0            
> 0.0.0.0/0 
> 2276K  119M wlan0_fwd  all  --  wlan0  *       0.0.0.0/0            
> 0.0.0.0/0 
>     0     0 common     all  --  *      *       0.0.0.0/0            
>     0.0.0.0/0 
>     0     0 LOG        all  --  *      *       0.0.0.0/0            >
>     0.0.0.0/0          LOG flags 0 level 6 prefix >
>     `Shorewall:FORWARD:REJECT:''  
>     0     0 reject     all  --  *      *       0.0.0.0/0            
>     0.0.0.0/0 
> [root@router root]#
 
Please stop posting in HTML (and please copy 
shorewall-users@lists.shorewall.net rather than 
shorewall-users-request@lists.shorewall.net). I''m tired of having to
fool
around with the HTML in order to reply.

The above indicates that the CLAMPMSS rule is being applied appropriately to 
the FORWARD chain.

Please provide new tcpdump output of a failed connection attempt with that 
rule in place.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

It was the MTU (I don''t know what it is..., but I will look for)!

I should never had found it alone! Thanks you a lot, Tom!

Best regards,
Pierre

Tom Eastep wrote:
>On Thursday 12 February 2004 09:14 am, Pierre van Male wrote:
>  
>
>>[root@router root]# ip addr ls
>>1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>>    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>>    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
>>2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
100
>>    link/ether 52:54:05:f7:a5:62 brd ff:ff:ff:ff:ff:ff
>>3: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc
pfifo_fast qlen 3
>>    link/ppp
>>    inet 62.235.131.87 peer 62.235.131.1/32 scope global ppp0
>>4: wlan0: <BROADCAST,MULTICAST,UP> mtu 576 qdisc pfifo_fast qlen
100
>>    link/ether 00:0d:88:8b:49:47 brd ff:ff:ff:ff:ff:ff
>>    inet 192.168.0.1/24 brd 192.168.0.255 scope global wlan0
>>    
>>
>
>There are two problems here:
>
>a) your wireless LAN interface has an MTU of 576. See if there
isn''t a way in
>the setup of this device to set that to 1500. It looks like the other
systems
>on the wireless network are using 1500 given that the SYN packet offers an 
>MSS of 1400+ (see below).
>
>b) Some idiot network admin between you and the site that you are trying to 
>connect has configured a router to drop ICMP fragmentation-needed packets.
>
>The result is that even with CLAMPMSS=Yes, your end of the connection is 
>offering an MSS of 1400+ yet when the other end responds with a packet of 
>that size, your firewall is saying "I lied -- I really meant 576";
that
>response is being dropped.
>
>-Tom
>  
>

On Thursday 12 February 2004 01:38 pm, Pierre van Male
wrote:
> It was the MTU (I don''t know what it is..., but I will look for)!
>
> I should never had found it alone! Thanks you a lot, Tom!
You''re welcome. One more thing -- you probably want to upgrade to the
latest
RedHat kernel; I believe that you said that you are running 2.4.20-20.9 which 
still has a broken REJECT target... 

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net