Hi, NOTE: I''m not subscribed to the shorewall list, please cc me on your replies. I have a basic 2 interface system. The firewall (bastion host) has a: 1. eth0 - public address 2. eth1 - 192.168.1.0/24 subnet I''m using SNAT to allow the hosts on the internal network to get access to the web. It''s all working ok except for a few missing graphics on some web sites (ie. www.yahoo.com.au) while connecting from the internal hosts. I do not have this problem while connecting to the web from the bastion host itself. Any ideas? Apologies if this is a well known issue, read just about every bit of doco but could not find my answer. cheers Luie Shorewall version 2.0.1 --------------------------------- Find local movie times and trailers on Yahoo! Movies.
Luie Matthee wrote:> > I''m using SNAT to allow the hosts on the internal network to get access to the web. It''s all working ok except for a few missing graphics on some web sites (ie. www.yahoo.com.au) while connecting from the internal hosts. > I do not have this problem while connecting to the web from the bastion host itself. > > Any ideas? Apologies if this is a well known issue, read just about every bit of doco but could not find my answer.These sorts of problems usually involve MTU and broken intermediate firewalls/routers that don''t pass ICMP properly. a) Check your internal subnet to be sure that the clients and your firewall are using the same MTU (should be 1500). b) Try setting CLAMPMSS=Yes in shorewall.conf. Hope that helps, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net