Hi. I have Shorewall 2.4.1 running on Mandriva 2006. (Not MNF). It seems I have some trouble with https websites. One (ie. https://toolbox.iinet.net.au/ ) doesn''t work at all. It seems to time out and cannot bring up the site. (Strangely, it gives a DNS error that it can''t find the site, yet I can telnet to port 443 on that address above). When using my online banking, the connections seem very slow and some windows which popup come up blank and the page stays that way while the Windows egg timer flips over and over and over. I have to log out of the site and log back in to regain control. Is there something I need to configure specifically for these types of sites? I thought probably not, but I should check. All my rules are: ACCEPT net fw tcp 22,20,21,6881:6999 - REDIRECT loc 3128 tcp www - In desperation I tried this, but have now removed it: ACCEPT loc net tcp https - Thanks. Jason. ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Tuesday 14 February 2006 03:15, Jason Oakley wrote:> > Is there something I need to configure specifically for these types of > sites? I thought probably not, but I should check. > > All my rules are: > > ACCEPT net fw tcp 22,20,21,6881:6999 - > REDIRECT loc 3128 tcp www - > > In desperation I tried this, but have now removed it: > > ACCEPT loc net tcp https -When you have intermittent problems or problems with particular sites, adding Shorewall rules is not the answer. You might try setting CLAMPMSS=Yes in shorewall.conf -- might be an MTU discovery problem with some sites. If that doesn''t help, try CLAMPMSS=1200. If that works, then gradually increase the value to find the highest setting where it still works. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thanks Tom! I knew I should not try throwing in rules, but didn''t know what else to do. You hit the nail on the head, though! I''ve currently got it on 1420 and it works nicely. 1492 seems too big but if I can access the sites I need to, that''s the main thing. Appreciate the assistance. Tom Eastep wrote:>On Tuesday 14 February 2006 03:15, Jason Oakley wrote: > > > >>Is there something I need to configure specifically for these types of >>sites? I thought probably not, but I should check. >> >>All my rules are: >> >>ACCEPT net fw tcp 22,20,21,6881:6999 - >>REDIRECT loc 3128 tcp www - >> >>In desperation I tried this, but have now removed it: >> >>ACCEPT loc net tcp https - >> >> > >When you have intermittent problems or problems with particular sites, adding >Shorewall rules is not the answer. > >You might try setting CLAMPMSS=Yes in shorewall.conf -- might be an MTU >discovery problem with some sites. If that doesn''t help, try CLAMPMSS=1200. >If that works, then gradually increase the value to find the highest setting >where it still works. > >-Tom > >