Shorewall users - Nov 2004 - URGENT!! some large websites cant be surfered

Clients: Some sites just show the top area not the full page. Some sites
cant be reached at all.

I think it 90% may be the MTU/MSS problem. But I already have set the
shorewall.conf CLAMPMSS=1400 or CLAMPMSS=Yes, but it doest make things
good.

I would be mad. Anybody helps me would so appreciated!

If you want know more info. to diag my problem, I would be please to.



Internet<---ADSL(PPPoE)---->Gateway(Gentoo Kernel 2.4)<----100M
Switch------>LAN

gateway root # cat /etc/ppp/pppoe.conf |grep -i MSS
# Do you want to clamp the MSS?  Here''s how to decide:
CLAMPMSS=1412
gateway root # shorewall version
2.2.0-Beta1
gateway root # uname -a
Linux gateway 2.4.26-gentoo-r9 #1 Sun Oct 31 07:23:49 CST 2004 i686 Pentium III
(Coppermine) GenuineIntel GNU/Linux
gateway root # ip route show
218.1.1.253 dev ppp0  proto kernel  scope link  src 61.171.19.98
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.254
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.254
127.0.0.0/8 via 127.0.0.1 dev lo  scope link
default via 218.1.1.253 dev ppp0
gateway root # ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:b0:d0:69:c0:9f brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.254/24 brd 192.168.1.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 1000
    link/ether 00:e0:4c:8c:5a:5b brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.254/24 brd 192.168.0.255 scope global eth1
4: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 3
    link/ppp
    inet 61.171.19.98 peer 218.1.1.253/32 scope global ppp0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

RexHsu wrote:
> Clients: Some sites just show the top area not the full page. Some sites
> cant be reached at all.
Do these sites all work well from the firewall itself?
> 
> I think it 90% may be the MTU/MSS problem. But I already have set the
> shorewall.conf CLAMPMSS=1400 or CLAMPMSS=Yes, but it doest make things
> good.
> 
> I would be mad. Anybody helps me would so appreciated!
> 
> If you want know more info. to diag my problem, I would be please to.
> 
> 
> 
> Internet<---ADSL(PPPoE)---->Gateway(Gentoo Kernel 2.4)<----100M
> Switch------>LAN
> 
> gateway root # cat /etc/ppp/pppoe.conf |grep -i MSS
> # Do you want to clamp the MSS?  Here''s how to decide:
> CLAMPMSS=1412
I would go clear down to 600 or so and see if that works -- then you can
start increasing it.

- -Tom

PS -- In my view, there are no URGENT problems with free software. If
you are given to urgency, then you should probably use a commercial
product where you can pick up the phone and get immediate help.
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBk3yhO/MAbZfjDLIRAp0BAKCghzX9BUUxpDZXeC0ysGlC76eWEwCbBBz9
PcepeirTiaoei6e7eMrNgKM=v0M4
-----END PGP SIGNATURE-----

Of course most of the time you give faster, more useful responses than
any commercial vendor I''ve ever delt with.

Jamie Thibodeau

-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom
Eastep
Sent: Thursday, November 11, 2004 8:52 AM
To: Mailing List for Shorewall Users
Subject: Re: [Shorewall-users] URGENT!! some large websites cant be
surfered

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

RexHsu wrote:
> Clients: Some sites just show the top area not the full page. Some 
> sites cant be reached at all.
Do these sites all work well from the firewall itself?
> 
> I think it 90% may be the MTU/MSS problem. But I already have set the 
> shorewall.conf CLAMPMSS=1400 or CLAMPMSS=Yes, but it doest make things
> good.
> 
> I would be mad. Anybody helps me would so appreciated!
> 
> If you want know more info. to diag my problem, I would be please to.
> 
> 
> 
> Internet<---ADSL(PPPoE)---->Gateway(Gentoo Kernel 2.4)<----100M
> Switch------>LAN
> 
> gateway root # cat /etc/ppp/pppoe.conf |grep -i MSS # Do you want to 
> clamp the MSS?  Here''s how to decide:
> CLAMPMSS=1412
I would go clear down to 600 or so and see if that works -- then you can
start increasing it.

- -Tom

PS -- In my view, there are no URGENT problems with free software. If
you are given to urgency, then you should probably use a commercial
product where you can pick up the phone and get immediate help.
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBk3yhO/MAbZfjDLIRAp0BAKCghzX9BUUxpDZXeC0ysGlC76eWEwCbBBz9
PcepeirTiaoei6e7eMrNgKM=v0M4
-----END PGP SIGNATURE-----
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

Jamie Thibodeau wrote on 11/11/2004 13:00:43:
> 
> 
> Of course most of the time you give faster, more useful responses than
> any commercial vendor I''ve ever delt with.
> 
> Jamie Thibodeau
> 
> - -Tom
> 
> PS -- In my view, there are no URGENT problems with free software. If
> you are given to urgency, then you should probably use a commercial
> product where you can pick up the phone and get immediate help.
> - --
I have a rule here - If the subject of a message contains URGENT! it goes 
directly to my junk folder.  ;-)

cheers,

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eduardo Ferreira wrote:
> 
> I have a rule here - If the subject of a message contains URGENT! it goes 
> directly to my junk folder.  ;-)
> 
I always wait at least 12 hours before responding.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBk4c1O/MAbZfjDLIRAj8UAJ9VuWfgAWW/zlYFZZv6l09H3eRHKACdH+D4
pRPcBHpAkbloXFzpCDpWzTc=GHXo
-----END PGP SIGNATURE-----

If you''re using a PPPoE DSL line to serve up customers''
websites,
perhaps the firewall settings aren''t your problem.