This is a multipart message in MIME format. --=_alternative 006B237F88256C3F_Content-Type: text/plain; charset="us-ascii" I am getting several sites - when surfing with Konqueror, Netscape, Mozilla, or even an windoze IE box that report "Connection Refused" Parts of eBay do not work, and I can''t get to samba.org, sfgate.com and several other sites that I know are up and running. (I have even used my work connection to verify those sites are functional). I was suspecting my Blacklist - but - I tried an empty blacklist (yes I did leave the "# LAST LINE") with no success. "Connection Refused" to a search engine yields thousands of results, most of which do not seem applicable. Any troubleshooting suggestions would be appreciated. --=_alternative 006B237F88256C3F_Content-Type: text/html; charset="us-ascii" <br><font size=2 face="sans-serif">I am getting several sites - when surfing with Konqueror, Netscape, Mozilla, or even an windoze IE box that report "Connection Refused" Parts of eBay do not work, and I can''t get to samba.org, sfgate.com and several other sites that I know are up and running. (I have even used my work connection to verify those sites are functional).</font> <br> <br><font size=2 face="sans-serif">I was suspecting my Blacklist - but - I tried an empty blacklist (yes I did leave the "# LAST LINE") with no success. "Connection Refused" to a search engine yields thousands of results, most of which do not seem applicable. </font> <br> <br><font size=2 face="sans-serif">Any troubleshooting suggestions would be appreciated.</font> <br> --=_alternative 006B237F88256C3F_=--
This is a multipart message in MIME format.
--=_alternative 0070DDB888256C3F_Content-Type: text/plain;
charset="us-ascii"
Thanks John - which should it be ?
In looking around.... /etc/shorewall/common
. /etc/shorewall/common.def
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
run_iptables -A common -p tcp --dport 113 -j REJECT
It also looks like that that same last line also exists in common.def
with a comment "Silenty reject it so that connections don''t get
delayed."
So, at the very least it''s redundant
For what it''s worth, this error "Connection Refused" takes a
long time to
come up.
"John S. Andersen" <JAndersen@screenio.com>
09/25/02 12:29 PM
Please respond to JAndersen
To: Bill Light/CA/KAIPERM@KAIPERM
cc:
Subject: Re: [Shorewall-users] Connection Refused
Are you droping ident packets (port 113) or rejecting them.
Makes a big difference.
On 25 Sep 2002 at 12:09, Bill.Light@kp.org wrote:
>
>
> I am getting several sites - when surfing with Konqueror, Netscape,
> Mozilla, or even an windoze IE box that report "Connection
Refused"
> Parts of eBay do not work, and I can''t get to samba.org,
sfgate.com
> and several other sites that I know are up and running. (I have even
> used my work connection to verify those sites are functional).
>
> I was suspecting my Blacklist - but - I tried an empty blacklist (yes
> I did leave the "# LAST LINE") with no success. "Connection
Refused"
> to a search engine yields thousands of results, most of which do not
> seem applicable.
>
> Any troubleshooting suggestions would be appreciated.
______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386
--=_alternative 0070DDB888256C3F_Content-Type: text/html;
charset="us-ascii"
<br><font size=2 face="sans-serif">Thanks John - which
should it be ? </font>
<br>
<br><font size=2 face="sans-serif">In looking around....
/etc/shorewall/common</font>
<br>
<br><font size=2 face="Courier New"><b>.
/etc/shorewall/common.def</b></font>
<br><font size=2 face="Courier New"><b>run_iptables
-A common -p udp --sport 53 -mstate --state NEW -j DROP</b></font>
<br><font size=2 face="Courier New"><b>run_iptables
-A common -p tcp --dport 113 -j REJECT</b></font>
<br>
<br><font size=2 face="sans-serif">It also looks like that
that same last line also exists in common.def</font>
<br><font size=2 face="sans-serif">with a comment
"Silenty reject it so that connections don''t get
delayed."</font>
<br>
<br><font size=2 face="sans-serif">So, at the very least
it''s redundant</font>
<br>
<br><font size=2 face="sans-serif">For what it''s
worth, this error "Connection Refused" takes a long time to
come up.</font>
<br>
<br>
<br>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td>
<td><font size=1 face="sans-serif"><b>"John
S. Andersen"
<JAndersen@screenio.com></b></font>
<p><font size=1 face="sans-serif">09/25/02 12:29
PM</font>
<br><font size=1 face="sans-serif">Please respond to
JAndersen</font>
<br>
<td><font size=1 face="Arial">
</font>
<br><font size=1 face="sans-serif">
To: Bill
Light/CA/KAIPERM@KAIPERM</font>
<br><font size=1 face="sans-serif">
cc:
</font>
<br><font size=1 face="sans-serif">
Subject: Re:
[Shorewall-users] Connection Refused</font></table>
<br>
<br>
<br><font size=2 face="Courier New">Are you droping ident
packets (port 113) or rejecting them.<br>
Makes a big difference.<br>
<br>
<br>
On 25 Sep 2002 at 12:09, Bill.Light@kp.org wrote:<br>
<br>
> <br>
> <br>
> I am getting several sites - when surfing with Konqueror,
Netscape,<br>
> Mozilla, or even an windoze IE box that report "Connection
Refused" <br>
> Parts of eBay do not work, and I can''t get to samba.org,
sfgate.com<br>
> and several other sites that I know are up and running. (I have
even<br>
> used my work connection to verify those sites are
functional).<br>
> <br>
> I was suspecting my Blacklist - but - I tried an empty blacklist
(yes<br>
> I did leave the "# LAST LINE") with no success.
"Connection Refused"<br>
> to a search engine yields thousands of results, most of which do
not<br>
> seem applicable. <br>
> <br>
> Any troubleshooting suggestions would be appreciated.<br>
<br>
<br>
______________________________________<br>
John Andersen<br>
NORCOM / Juneau, Alaska<br>
http://www.screenio.com/<br>
(907) 790-3386<br>
</font>
<br>
<br>
--=_alternative 0070DDB888256C3F_=--
Bill.Light@kp.org wrote:> > Thanks John - which should it be ? > > In looking around.... /etc/shorewall/common > > . /etc/shorewall/common.def > run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP > run_iptables -A common -p tcp --dport 113 -j REJECTNeither of those affect web browsing which was Bill''s original complaint.> > It also looks like that that same last line also exists in common.def > with a comment "Silenty reject it so that connections don''t get delayed." > > So, at the very least it''s redundant > > For what it''s worth, this error "Connection Refused" takes a long time > to come up. >Have you turned off ECN on the firewall? echo 0 > /proc/sys/net/ipv4/tcp_ecn? If that corrects your problem then you need to arrange for that to happen each time you reboot. Your distribution will have a way to do that or you can always put the command in /etc/shorewall/start. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
This is a multipart message in MIME format. --=_alternative 0077E33488256C3F_Content-Type: text/plain; charset="us-ascii" No luck - checked on the Shorewall machine, and another Linux box.....both show tcp_ecn are already zero> > Thanks John - which should it be ? > > In looking around.... /etc/shorewall/common > > . /etc/shorewall/common.def > run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP > run_iptables -A common -p tcp --dport 113 -j REJECTNeither of those affect web browsing which was Bill''s original complaint.> > It also looks like that that same last line also exists in common.def > with a comment "Silenty reject it so that connections don''t getdelayed."> > So, at the very least it''s redundant > > For what it''s worth, this error "Connection Refused" takes a long time > to come up. >Have you turned off ECN on the firewall? echo 0 > /proc/sys/net/ipv4/tcp_ecn? If that corrects your problem then you need to arrange for that to happen each time you reboot. Your distribution will have a way to do that or you can always put the command in /etc/shorewall/start. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net --=_alternative 0077E33488256C3F_Content-Type: text/html; charset="us-ascii" <br><font size=2 face="sans-serif">No luck - checked on the Shorewall machine, and another Linux box.....both show tcp_ecn are already zero</font> <br> <br> <br><font size=2 face="Courier New"><br> > <br> > Thanks John - which should it be ? <br> > <br> > In looking around.... /etc/shorewall/common<br> > <br> > . /etc/shorewall/common.def<br> > run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP<br> > run_iptables -A common -p tcp --dport 113 -j REJECT<br> <br> Neither of those affect web browsing which was Bill''s original complaint.<br> <br> > <br> > It also looks like that that same last line also exists in common.def<br> > with a comment "Silenty reject it so that connections don''t get delayed."<br> > <br> > So, at the very least it''s redundant<br> > <br> > For what it''s worth, this error "Connection Refused" takes a long time <br> > to come up.<br> > <br> <br> Have you turned off ECN on the firewall?<br> <br> echo 0 > /proc/sys/net/ipv4/tcp_ecn?<br> <br> If that corrects your problem then you need to arrange for that to happen <br> each time you reboot. Your distribution will have a way to do that or you <br> can always put the command in /etc/shorewall/start.<br> <br> -Tom<br> -- <br> Tom Eastep \ Shorewall - iptables made easy<br> AIM: tmeastep \ http://www.shorewall.net<br> ICQ: #60745924 \ teastep@shorewall.net<br> <br> </font> --=_alternative 0077E33488256C3F_=--
Bill.Light@kp.org wrote:> > No luck - checked on the Shorewall machine, and another Linux > box.....both show tcp_ecn are already zero >Do you connect to your ISP using PPoE? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> Bill.Light@kp.org wrote: > >> >> No luck - checked on the Shorewall machine, and another Linux >> box.....both show tcp_ecn are already zero >> > > Do you connect to your ISP using PPoE? >Duh -- make that PPPoE -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
This is a multipart message in MIME format.
--=_alternative 0081C73188256C3F_Content-Type: text/plain;
charset="us-ascii"
I didn''t think I was...DSL - Fixed IP address. It was one of the
reasons
I chose Shorewall. I actually have 5 fixed IP''s and wanted to host my
own
family website, and my brother-in-law''s simple web-page, and my
daughter''s
sorority. I haven''t gotten to the webserver part yet... (An aside -
what do you do with your other 4 fixed IP''s?)
66.xxx.yyy.zzz assigned by SBC/Pac Bell (California - Bay area). As I
recall PPPoE was required for dynamic IP, not fixed...but I''m willing
to be
wrong.
SuSE 7.3 / 2.4.16 kernel ==> /etc/rc.config has
SETUPDUMMYDEV="no" and
START_SMPPPD="no" so if it''s there, I guess it''s
well hidden, or I
don''t know where to look..
- Bill
=============================================
Tom Eastep <teastep@shorewall.net>
Sent by: shorewall-users-admin@shorewall.net
09/25/02 03:45 PM
To: Tom Eastep <teastep@shorewall.net>
cc: Bill Light/CA/KAIPERM@KAIPERM, shorewall-users@shorewall.net
Subject: Re: [Shorewall-users] Connection Refused
Tom Eastep wrote:> Bill.Light@kp.org wrote:
>
>>
>> No luck - checked on the Shorewall machine, and another Linux
>> box.....both show tcp_ecn are already zero
>>
>
> Do you connect to your ISP using PPoE?
>
Duh -- make that PPPoE
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net
_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users
--=_alternative 0081C73188256C3F_Content-Type: text/html;
charset="us-ascii"
<br><font size=3 face="Courier New">I didn''t
think I was...DSL - Fixed IP address. It was one of the reasons I
chose Shorewall. I actually have 5 fixed IP''s and wanted to
host my own family website, and my brother-in-law''s simple web-page,
and my daughter''s sorority. I haven''t gotten to the
webserver part yet... (An aside - what do you do with your other 4
fixed IP''s?)</font>
<br>
<br><font size=3 face="Courier New">66.xxx.yyy.zzz
assigned by SBC/Pac Bell (California - Bay area).
As I recall PPPoE was required for dynamic IP, not fixed...but
I''m willing to be wrong.</font>
<br>
<br><font size=3 face="Courier New">SuSE 7.3 / 2.4.16
kernel ==> /etc/rc.config has
SETUPDUMMYDEV="no" and
START_SMPPPD="no" so if it''s
there, I guess it''s well hidden, or I don''t know where to
look..</font>
<br>
<br><font size=3 face="Courier New">- Bill</font>
<br>
<br><font size=3 face="Courier
New">==============================================</font>
<br>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td>
<td><font size=1 face="sans-serif"><b>Tom Eastep
<teastep@shorewall.net></b></font>
<br><font size=1 face="sans-serif">Sent by:
shorewall-users-admin@shorewall.net</font>
<p><font size=1 face="sans-serif">09/25/02 03:45
PM</font>
<br>
<td><font size=1 face="Arial">
</font>
<br><font size=1 face="sans-serif">
To: Tom Eastep
<teastep@shorewall.net></font>
<br><font size=1 face="sans-serif">
cc: Bill
Light/CA/KAIPERM@KAIPERM, shorewall-users@shorewall.net</font>
<br><font size=1 face="sans-serif">
Subject: Re:
[Shorewall-users] Connection Refused</font></table>
<br>
<br>
<br><font size=2 face="Courier New">Tom Eastep
wrote:<br>
> Bill.Light@kp.org wrote:<br>
> <br>
>><br>
>> No luck - checked on the Shorewall machine, and another Linux
<br>
>> box.....both show tcp_ecn are already
zero<br>
>><br>
> <br>
> Do you connect to your ISP using PPoE?<br>
> <br>
<br>
Duh -- make that PPPoE<br>
<br>
-Tom<br>
-- <br>
Tom Eastep \ Shorewall - iptables made easy<br>
AIM: tmeastep \ http://www.shorewall.net<br>
ICQ: #60745924 \ teastep@shorewall.net<br>
<br>
_______________________________________________<br>
Shorewall-users mailing list<br>
Shorewall-users@shorewall.net<br>
http://www.shorewall.net/mailman/listinfo/shorewall-users<br>
</font>
<br>
<br>
--=_alternative 0081C73188256C3F_=--
Bill.Light@kp.org wrote:> > I didn''t think I was...DSL - Fixed IP address. It was one of the > reasons I chose Shorewall. I actually have 5 fixed IP''s and wanted to > host my own family website, and my brother-in-law''s simple web-page, and > my daughter''s sorority. I haven''t gotten to the webserver part yet... > (An aside - what do you do with your other 4 fixed IP''s?)http://www.shorwall.net/myfiles.htm> 66.xxx.yyy.zzz assigned by SBC/Pac Bell (California - Bay area). As > I recall PPPoE was required for dynamic IP, not fixed...but I''m willing > to be wrong. > > SuSE 7.3 / 2.4.16 kernel ==> /etc/rc.config has SETUPDUMMYDEV="no" > and START_SMPPPD="no" so if it''s there, I guess it''s well hidden, or > I don''t know where to look.. >ifconfig ppp0 Even if that gives you an error, you can try setting CLAMPMSS=Yes in your shorewall.conf. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> Bill.Light@kp.org wrote: > >> >> I didn''t think I was...DSL - Fixed IP address. It was one of the >> reasons I chose Shorewall. I actually have 5 fixed IP''s and wanted to >> host my own family website, and my brother-in-law''s simple web-page, >> and my daughter''s sorority. I haven''t gotten to the webserver part >> yet... (An aside - what do you do with your other 4 fixed IP''s?) > > > http://www.shorwall.net/myfiles.htmGosh, my typing is bad today: http://www.shorewall.net/myfiles.htm -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
This is a multipart message in MIME format.
--=_alternative 0003E03188256C40_Content-Type: text/plain;
charset="us-ascii"
to the ifconfig command, I get ppp0: error fetching interface information:
Device not found
and CLAMPMSS was "no" I switched it to "yes"
didn''t help...
on the first machine behind the firewall (also SuSE 7.3 running 2.4.16
kernel) lynx samba.org gives...
Looking up samba.org first
Looking up samba.org
samba.org
Making HTTP connection to samba.org
Alert!: Unable to connect to remove host.
lynx: Can''t access startfile http://samba.org/
and samba.org is up....sigh
Tom Eastep <teastep@shorewall.net>
09/25/02 04:42 PM
To: Bill Light/CA/KAIPERM@KAIPERM
cc: shorewall-users@shorewall.net
Subject: Re: [Shorewall-users] Connection Refused
Bill.Light@kp.org wrote:>
> I didn''t think I was...DSL - Fixed IP address. It was one of the
> reasons I chose Shorewall. I actually have 5 fixed IP''s and
wanted to
> host my own family website, and my brother-in-law''s simple
web-page, and
> my daughter''s sorority. I haven''t gotten to the
webserver part yet...
> (An aside - what do you do with your other 4 fixed IP''s?)
http://www.shorewall.net/myfiles.htm
> 66.xxx.yyy.zzz assigned by SBC/Pac Bell (California - Bay area). As
> I recall PPPoE was required for dynamic IP, not fixed...but I''m
willing
> to be wrong.
>
> SuSE 7.3 / 2.4.16 kernel ==> /etc/rc.config has
SETUPDUMMYDEV="no"
> and START_SMPPPD="no" so if it''s there, I guess
it''s well hidden, or
> I don''t know where to look..
>
ifconfig ppp0
Even if that gives you an error, you can try setting CLAMPMSS=Yes in your
shorewall.conf.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net
--=_alternative 0003E03188256C40_Content-Type: text/html;
charset="us-ascii"
<br><font size=2 face="sans-serif">to the ifconfig
command, I get </font><font size=3 color=#0000e0
face="Courier New">ppp0: error fetching interface information:
Device not found</font>
<br>
<br><font size=2 face="sans-serif">and CLAMPMSS was
"no" I switched it to "yes"
didn''t help...</font>
<br>
<br><font size=2 face="sans-serif">on the first machine
behind the firewall (also SuSE 7.3 running 2.4.16 kernel)
</font><font size=3 color=#0000e0 face="Courier New">lynx
samba.org</font><font size=2 face="sans-serif">
gives...</font>
<br>
<br><font size=3 color=#0000e0 face="Courier New">Looking
up samba.org first</font>
<br><font size=3 color=#0000e0 face="Courier New">Looking
up samba.org</font>
<br><font size=3 color=#0000e0 face="Courier
New">samba.org</font>
<br><font size=3 color=#0000e0 face="Courier New">Making
HTTP connection to samba.org</font>
<br><font size=3 color=#0000e0 face="Courier New">Alert!:
Unable to connect to remove host.</font>
<br>
<br><font size=3 color=#0000e0 face="Courier New">lynx:
Can''t access startfile http://samba.org/</font>
<br>
<br><font size=2 face="sans-serif">and samba.org
is up....sigh</font>
<br>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td>
<td><font size=1 face="sans-serif"><b>Tom Eastep
<teastep@shorewall.net></b></font>
<p><font size=1 face="sans-serif">09/25/02 04:42
PM</font>
<br>
<td><font size=1 face="Arial">
</font>
<br><font size=1 face="sans-serif">
To: Bill
Light/CA/KAIPERM@KAIPERM</font>
<br><font size=1 face="sans-serif">
cc:
shorewall-users@shorewall.net</font>
<br><font size=1 face="sans-serif">
Subject: Re:
[Shorewall-users] Connection Refused</font></table>
<br>
<br>
<br><font size=2 face="Courier New">Bill.Light@kp.org
wrote:<br>
> <br>
> I didn''t think I was...DSL - Fixed IP address. It
was one of the <br>
> reasons I chose Shorewall. I actually have 5 fixed
IP''s and wanted to <br>
> host my own family website, and my brother-in-law''s simple
web-page, and <br>
> my daughter''s sorority. I haven''t gotten
to the webserver part yet... <br>
> (An aside - what do you do with your other 4 fixed
IP''s?)<br>
<br>
http://www.shorewall.net/myfiles.htm<br>
<br>
> 66.xxx.yyy.zzz assigned by SBC/Pac Bell
(California - Bay area). As <br>
> I recall PPPoE was required for dynamic IP, not fixed...but
I''m willing <br>
> to be wrong.<br>
> <br>
> SuSE 7.3 / 2.4.16 kernel ==> /etc/rc.config
has SETUPDUMMYDEV="no" <br>
> and START_SMPPPD="no" so if
it''s there, I guess it''s well hidden, or <br>
> I don''t know where to look..<br>
> <br>
<br>
ifconfig ppp0<br>
<br>
Even if that gives you an error, you can try setting CLAMPMSS=Yes in your
<br>
shorewall.conf.<br>
<br>
-Tom<br>
-- <br>
Tom Eastep \ Shorewall - iptables made easy<br>
AIM: tmeastep \ http://www.shorewall.net<br>
ICQ: #60745924 \ teastep@shorewall.net<br>
<br>
</font>
<br>
<br>
--=_alternative 0003E03188256C40_=--
This is a multipart message in MIME format.
--=_alternative 000606FB88256C40_Content-Type: text/plain;
charset="us-ascii"
Just more info.....Also tried w3m and get:
Looking up samba.org
samba.org
Making HTTP connection to samba.org
w3m: Can''t load samba.org
Both lynx and w3m work for google.com
traceroute to google.com gives expected results 1st my firewall, 2nd the
dsl modem, 3rd a pbi net ... and off it goes
traceroute to samba.org gives my firewall and for the 1st hop and
everything after that is 3 asterisks....
nslookup works for both google.com and samba.org
===============================
to the ifconfig command, I get ppp0: error fetching interface information:
Device not found
and CLAMPMSS was "no" I switched it to "yes"
didn''t help...
on the first machine behind the firewall (also SuSE 7.3 running 2.4.16
kernel) lynx samba.org gives...
Looking up samba.org first
Looking up samba.org
samba.org
Making HTTP connection to samba.org
Alert!: Unable to connect to remove host.
lynx: Can''t access startfile http://samba.org/
and samba.org is up....sigh
Tom Eastep <teastep@shorewall.net>
09/25/02 04:42 PM
To: Bill Light/CA/KAIPERM@KAIPERM
cc: shorewall-users@shorewall.net
Subject: Re: [Shorewall-users] Connection Refused
Bill.Light@kp.org wrote:>
> I didn''t think I was...DSL - Fixed IP address. It was one of the
> reasons I chose Shorewall. I actually have 5 fixed IP''s and
wanted to
> host my own family website, and my brother-in-law''s simple
web-page, and
> my daughter''s sorority. I haven''t gotten to the
webserver part yet...
> (An aside - what do you do with your other 4 fixed IP''s?)
http://www.shorewall.net/myfiles.htm
> 66.xxx.yyy.zzz assigned by SBC/Pac Bell (California - Bay area). As
> I recall PPPoE was required for dynamic IP, not fixed...but I''m
willing
> to be wrong.
>
> SuSE 7.3 / 2.4.16 kernel ==> /etc/rc.config has
SETUPDUMMYDEV="no"
> and START_SMPPPD="no" so if it''s there, I guess
it''s well hidden, or
> I don''t know where to look..
>
ifconfig ppp0
Even if that gives you an error, you can try setting CLAMPMSS=Yes in your
shorewall.conf.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net
--=_alternative 000606FB88256C40_Content-Type: text/html;
charset="us-ascii"
<br>
<br><font size=2 face="sans-serif">Just more info.....Also
tried w3m and get:</font>
<br>
<br><font size=3 color=#0000e0 face="Courier New">Looking
up samba.org</font>
<br><font size=3 color=#0000e0 face="Courier
New">samba.org</font>
<br><font size=3 color=#0000e0 face="Courier New">Making
HTTP connection to samba.org</font>
<br><font size=3 color=#0000e0 face="Courier New">w3m:
Can''t load samba.org</font>
<br>
<br><font size=2 face="sans-serif">Both lynx and w3m work
for google.com</font>
<br>
<br><font size=2 face="sans-serif">traceroute to
google.com gives expected results 1st my firewall, 2nd the dsl modem, 3rd a pbi
net ... and off it goes</font>
<br><font size=2 face="sans-serif">traceroute to samba.org
gives my firewall and for the 1st hop and everything after that is 3
asterisks....</font>
<br>
<br><font size=2 face="sans-serif">nslookup works for both
google.com and samba.org</font>
<br>
<br><font size=2
face="sans-serif">================================</font>
<br>
<br><font size=2 face="sans-serif">to the ifconfig
command, I get </font><font size=3 color=#0000e0
face="Courier New">ppp0: error fetching interface information:
Device not found</font>
<br>
<br><font size=2 face="sans-serif">and CLAMPMSS was
"no" I switched it to "yes"
didn''t help...</font>
<br>
<br><font size=2 face="sans-serif">on the first machine
behind the firewall (also SuSE 7.3 running 2.4.16 kernel)
</font><font size=3 color=#0000e0 face="Courier New">lynx
samba.org</font><font size=2 face="sans-serif">
gives...</font>
<br>
<br><font size=3 color=#0000e0 face="Courier New">Looking
up samba.org first</font>
<br><font size=3 color=#0000e0 face="Courier New">Looking
up samba.org</font>
<br><font size=3 color=#0000e0 face="Courier
New">samba.org</font>
<br><font size=3 color=#0000e0 face="Courier New">Making
HTTP connection to samba.org</font>
<br><font size=3 color=#0000e0 face="Courier New">Alert!:
Unable to connect to remove host.</font>
<br>
<br><font size=3 color=#0000e0 face="Courier New">lynx:
Can''t access startfile http://samba.org/</font>
<br>
<br><font size=2 face="sans-serif">and samba.org
is up....sigh</font>
<br>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td>
<td><font size=1 face="sans-serif"><b>Tom Eastep
<teastep@shorewall.net></b></font>
<p><font size=1 face="sans-serif">09/25/02 04:42
PM</font>
<br>
<td><font size=1 face="Arial">
</font>
<br><font size=1 face="sans-serif">
To: Bill
Light/CA/KAIPERM@KAIPERM</font>
<br><font size=1 face="sans-serif">
cc:
shorewall-users@shorewall.net</font>
<br><font size=1 face="sans-serif">
Subject: Re:
[Shorewall-users] Connection Refused</font></table>
<br>
<br>
<br><font size=2 face="Courier New">Bill.Light@kp.org
wrote:<br>
> <br>
> I didn''t think I was...DSL - Fixed IP address. It
was one of the <br>
> reasons I chose Shorewall. I actually have 5 fixed
IP''s and wanted to <br>
> host my own family website, and my brother-in-law''s simple
web-page, and <br>
> my daughter''s sorority. I haven''t gotten
to the webserver part yet... <br>
> (An aside - what do you do with your other 4 fixed
IP''s?)<br>
<br>
http://www.shorewall.net/myfiles.htm<br>
<br>
> 66.xxx.yyy.zzz assigned by SBC/Pac Bell
(California - Bay area). As <br>
> I recall PPPoE was required for dynamic IP, not fixed...but
I''m willing <br>
> to be wrong.<br>
> <br>
> SuSE 7.3 / 2.4.16 kernel ==> /etc/rc.config
has SETUPDUMMYDEV="no" <br>
> and START_SMPPPD="no" so if
it''s there, I guess it''s well hidden, or <br>
> I don''t know where to look..<br>
> <br>
<br>
ifconfig ppp0<br>
<br>
Even if that gives you an error, you can try setting CLAMPMSS=Yes in your
<br>
shorewall.conf.<br>
<br>
-Tom<br>
-- <br>
Tom Eastep \ Shorewall - iptables made easy<br>
AIM: tmeastep \ http://www.shorewall.net<br>
ICQ: #60745924 \ teastep@shorewall.net<br>
<br>
</font>
<br>
<br>
<br>
--=_alternative 000606FB88256C40_=--
Bill.Light@kp.org wrote:> > to the ifconfig command, I get ppp0: error fetching interface > information: Device not found > > and CLAMPMSS was "no" I switched it to "yes" didn''t help... > > on the first machine behind the firewall (also SuSE 7.3 running 2.4.16 > kernel) lynx samba.org gives... > > Looking up samba.org first > Looking up samba.org > samba.org > Making HTTP connection to samba.org > Alert!: Unable to connect to remove host. > > lynx: Can''t access startfile http://samba.org/ > > and samba.org is up....sighI don''t know what else to tell you other than to put a sniffer on your external interface and convince yourself that the problem is outside your firewall, not in it.... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Bill.Light@KP.ORG wrote:> > > Just more info.....Also tried w3m and get: > > Looking up samba.org > samba.org > Making HTTP connection to samba.org > w3m: Can''t load samba.org > > Both lynx and w3m work for google.com > > traceroute to google.com gives expected results 1st my firewall, 2nd the > dsl modem, 3rd a pbi net ... and off it goes > traceroute to samba.org gives my firewall and for the 1st hop and > everything after that is 3 asterisks.... > > nslookup works for both google.com and samba.orgBill -- I think you should get your ISP involved because I don''t think this problem is inside your network. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Bill.Light@KP.ORG wrote:> > > Just more info.....Also tried w3m and get: > > Looking up samba.org > samba.org > Making HTTP connection to samba.org > w3m: Can''t load samba.org > > Both lynx and w3m work for google.com > > traceroute to google.com gives expected results 1st my firewall, 2nd the > dsl modem, 3rd a pbi net ... and off it goes > traceroute to samba.org gives my firewall and for the 1st hop and > everything after that is 3 asterisks.... >Please send me the output of "shorewall status". Thanks, -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Bill.Light@KP.ORG wrote:> > > Just more info.....Also tried w3m and get: > > Looking up samba.org > samba.org > Making HTTP connection to samba.org > w3m: Can''t load samba.org > > Both lynx and w3m work for google.com > > traceroute to google.com gives expected results 1st my firewall, 2nd the > dsl modem, 3rd a pbi net ... and off it goes > traceroute to samba.org gives my firewall and for the 1st hop and > everything after that is 3 asterisks.... > > nslookup works for both google.com and samba.org >To complete this thread -- the problem was an incorrect Mask setting on Bill''s internet interface. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On 26 Sep 2002 at 16:22, Tom Eastep wrote:> Bill.Light@KP.ORG wrote: > > > > > > Just more info.....Also tried w3m and get: > > > > Looking up samba.org > > samba.org > > Making HTTP connection to samba.org > > w3m: Can''t load samba.org > > > > Both lynx and w3m work for google.com > > > > traceroute to google.com gives expected results 1st my firewall, 2nd > > the dsl modem, 3rd a pbi net ... and off it goes traceroute to > > samba.org gives my firewall and for the 1st hop and everything > > after that is 3 asterisks.... > > > > nslookup works for both google.com and samba.org > > > > To complete this thread -- the problem was an incorrect Mask setting > on Bill''s internet interface. > > -TomSo howcome ANYTHING went thru???> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386
John S. Andersen wrote:> > > So howcome ANYTHING went thru??? >Bill had 255.0.0.0 when he should have had 255.255.255.0 and his IP address was 66.xxx.yyy.zzz. That meant he couldn''t access any host in the class A 66.0.0.0/24 outside of his class C (66.xxx.yyy.0/24). He could access the rest of the internet fine. Since his mask was 255.0.0.0, his firewall was trying to communicate directly with ALL hosts in 66.0.0.0/24 (repeatedly sending ARP "who-has") rather than just when communicating with 66.xxx.yyy.0/24. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> John S. Andersen wrote: > >> >> >> So howcome ANYTHING went thru??? >> > > Bill had 255.0.0.0 when he should have had 255.255.255.0 and his IP > address was 66.xxx.yyy.zzz. That meant he couldn''t access any host in > the class A 66.0.0.0/24 outside of his class C (66.xxx.yyy.0/24). He > could access the rest of the internet fine.I of course meant 66.0.0.0/8 rather than 66.0.0.0/24.... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net