Hello, This is not really a shorewall problem. But just wanted to check if this problem rang a bell with any of you. I have a linux router with slackware 9.1, and kernel 2.4.27 Everyting works ok except for access to web sites that use akamai from behind the router.>From the router machine itself I can access those sites without problems.But machines behind nat, take forever to access yahoo for example. The page finally shows up, after 5 minutes or so, and is missing the images. may be a problem with my kernel config ? or something else ? sorry for the offtopic # # Networking options # CONFIG_PACKET=y # CONFIG_PACKET_MMAP is not set # CONFIG_NETLINK_DEV is not set CONFIG_NETFILTER=y # CONFIG_NETFILTER_DEBUG is not set # CONFIG_FILTER is not set CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_MULTICAST=y CONFIG_IP_ADVANCED_ROUTER=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_IP_ROUTE_FWMARK=y CONFIG_IP_ROUTE_NAT=y CONFIG_IP_ROUTE_MULTIPATH=y CONFIG_IP_ROUTE_TOS=y CONFIG_IP_ROUTE_MULTIPATH=y CONFIG_IP_ROUTE_TOS=y CONFIG_IP_ROUTE_VERBOSE=y CONFIG_IP_PNP=y CONFIG_IP_PNP_DHCP=y CONFIG_IP_PNP_BOOTP=y CONFIG_IP_PNP_RARP=y CONFIG_NET_IPIP=y CONFIG_NET_IPGRE=y CONFIG_NET_IPGRE_BROADCAST=y CONFIG_IP_MROUTE=y CONFIG_IP_PIMSM_V1=y CONFIG_IP_PIMSM_V2=y CONFIG_ARPD=y CONFIG_INET_ECN=y CONFIG_SYN_COOKIES=y # # IP: Netfilter Configuration # CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_FTP=y CONFIG_IP_NF_AMANDA=y CONFIG_IP_NF_TFTP=y CONFIG_IP_NF_IRC=y # CONFIG_IP_NF_QUEUE is not set CONFIG_IP_NF_IRC=y # CONFIG_IP_NF_QUEUE is not set CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_MATCH_LIMIT=y CONFIG_IP_NF_MATCH_MAC=y CONFIG_IP_NF_MATCH_PKTTYPE=y CONFIG_IP_NF_MATCH_MARK=y CONFIG_IP_NF_MATCH_MULTIPORT=y CONFIG_IP_NF_MATCH_TOS=y CONFIG_IP_NF_MATCH_RECENT=y CONFIG_IP_NF_MATCH_ECN=y CONFIG_IP_NF_MATCH_DSCP=y CONFIG_IP_NF_MATCH_AH_ESP=y CONFIG_IP_NF_MATCH_LENGTH=y CONFIG_IP_NF_MATCH_TTL=y CONFIG_IP_NF_MATCH_TCPMSS=y CONFIG_IP_NF_MATCH_HELPER=y CONFIG_IP_NF_MATCH_STATE=y CONFIG_IP_NF_MATCH_CONNTRACK=y CONFIG_IP_NF_MATCH_UNCLEAN=y CONFIG_IP_NF_MATCH_OWNER=y CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_TARGET_REJECT=y CONFIG_IP_NF_TARGET_MIRROR=y CONFIG_IP_NF_NAT=y CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_NAT=y CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=y CONFIG_IP_NF_TARGET_REDIRECT=y CONFIG_IP_NF_NAT_AMANDA=y CONFIG_IP_NF_NAT_LOCAL=y CONFIG_IP_NF_NAT_SNMP_BASIC=y CONFIG_IP_NF_NAT_IRC=y CONFIG_IP_NF_NAT_FTP=y CONFIG_IP_NF_NAT_TFTP=y CONFIG_IP_NF_MANGLE=y CONFIG_IP_NF_TARGET_TOS=y CONFIG_IP_NF_TARGET_ECN=y CONFIG_IP_NF_TARGET_DSCP=y CONFIG_IP_NF_TARGET_MARK=y CONFIG_IP_NF_TARGET_LOG=y CONFIG_IP_NF_TARGET_ULOG=y CONFIG_IP_NF_TARGET_TCPMSS=y CONFIG_IP_NF_ARPTABLES=y CONFIG_IP_NF_ARPFILTER=y CONFIG_IP_NF_ARP_MANGLE=y # # CONFIG_IP_VS is not set CONFIG_IPV6=y # # IPv6: Netfilter Configuration # # CONFIG_IP6_NF_QUEUE is not set # CONFIG_IP6_NF_IPTABLES is not set # CONFIG_KHTTPD is not set # # SCTP Configuration (EXPERIMENTAL) # # CONFIG_IP_SCTP is not set CONFIG_ATM=y CONFIG_ATM_CLIP=y CONFIG_ATM_CLIP_NO_ICMP=y CONFIG_ATM_LANE=y CONFIG_ATM_MPOA=y CONFIG_ATM_BR2684=y CONFIG_ATM_BR2684_IPFILTER=y CONFIG_VLAN_8021Q=y # CONFIG_IPX is not set # CONFIG_ATALK is not set Thanks for the info Jaime Garcia
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jaime Garcia wrote:> Hello, > > This is not really a shorewall problem. But just wanted to check if this > problem rang a bell with any of you. > > I have a linux router with slackware 9.1, and kernel 2.4.27 > Everyting works ok except for access to web sites that use akamai from > behind the router. > >>From the router machine itself I can access those sites without problems. > But machines behind nat, take forever to access yahoo for example. The > page finally shows up, after 5 minutes or so, and is missing the images. >Sounds like an MTU problem -- have you tried setting CLAMPMSS=Yes in Shorewall.conf? - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBgYaBO/MAbZfjDLIRAg2gAKC0ECfeTcjYyhjjxcjk0XYzLEdWNwCeLLqE Xa3gFq7yrWoRgXYPh/eByoI=Jdad -----END PGP SIGNATURE-----
>Sounds like an MTU problem -- have you tried setting CLAMPMSS=Yes in >Shorewall.conf? >- -TomYes I tryed CLAMPMSS=Yes, but no luck The linux router is connected to a fibertel cablemodem through eth0 I also tryed different dns servers, but it seems that did not affect it Jaime Garcia
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jaime Garcia wrote:>>Sounds like an MTU problem -- have you tried setting CLAMPMSS=Yes in >>Shorewall.conf? >>- -Tom > > > Yes I tryed CLAMPMSS=Yes, but no luck > The linux router is connected to a fibertel cablemodem through eth0 > > I also tryed different dns servers, but it seems that did not affect it >Then try this: iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN \ -j TCPMSS --set-mss 1400 If that helps, you can remove the CLAMPMSS=Yes in shorewall.conf and add the above command to /etc/shorewall/start (or upgrade to 2.2.0 Beta 1 and set CLAMPMSS=1400 in shorewall.conf). - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBgYq1O/MAbZfjDLIRAuzsAJ9f/24Scydh1jkmgJyvAKVhzJGC2ACcCKtD N3i4a6wXMWfwaKXGapIi1DU=A4QI -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jaime Garcia wrote:> No luck still. I will upgrade shorewall to 2.2.0 Beta 1 tonight (I have > 1.4.7), and let you know >If the command didn''t help then upgrading won''t help either. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBgZHYO/MAbZfjDLIRAk9zAKCVjeubb9LJ5j7/dLeYIiucweGLsgCfUYdZ l++1SMs9LoFfq98k5ZTGobY=Kjyb -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jaime Garcia wrote:> Ah ok, I will keep thinking about the problem > Thanks anyhowYou might try going down to 500 or so just to be sure that the problem isn''t MTU-related (and you might also set CLAMPMSS=No before trying these experiments so that CLAMPMSS doesn''t override the command you enter). - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBgZcUO/MAbZfjDLIRAoicAKDAco3VAUv/Xle0b+3Coid3er5gOgCcCyss vCIhEtNSsZdIIBvxsLL7m6Y=rKZe -----END PGP SIGNATURE-----
Finally I reinstalled the kernel source, recompiled 2.4.27 and now it works again. I think the problem may have been the freeswan ipsec patch for 2.4 kernels. Regards, Jaime Garcia
On Sat, 2004-10-30 at 10:41, Jaime Garcia wrote:> Finally I reinstalled the kernel source, recompiled 2.4.27 and now it > works again. > > I think the problem may have been the freeswan ipsec patch for 2.4 > kernels. >Thanks for the update. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key