Shorewall users - May 2006 - Website not appearing correctly when forwarded through Shorewall

Hello

Please be aware:  The following sites are not yet accessible as I am working 
remotely and the firewall has fallen over, will rectify this tomorrow.

Main website is located at http://www.hassenbrook.org.uk (213.38.46.6)
Webmail located at http://hassenbrook.org.uk:82 (213.38.46.6:82)
Conference website located at http://facilitate.hassenbrook.org.uk 
(213.38.46.51)

At work I run Shorewall version 2.4.1.

It port forwards port 80 requests to the internal webserver of 
10.146.24.49:85, this is the main website which works fine.

It port forwards port 82 requests to the internal mail server of 
10.146.24.20:82, this works fine.

The problem appears when I attempt to get to the conference website.  It 
uses a second external IP of 213.38.46.51.  I have told Shorewall to forward 
any connections for 213.38.46.51 to our internal conference website server 
of 10.146.24.26.

The result is that the conference site appears very very slowly and the 
images do not appear at all.  WIthout the firewall in place, the conference 
website appears with no issues.

I have tried using Proxy ARP with no luck too.

Any help would be greatly appreciated.

Jason




-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Jason Bassett wrote:
> Any help would be greatly appreciated.
I recommend that you start from the server with a packet sniffer and
work your way outward. As I told you on IRC, I''m aware of nothing in a
Shorewall configuration that could cause this type of behavior on only
one external/internal IP pair. The slowness and inability to transfer
large objects certainly sounds like a link-level problem.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Jason Bassett escribió:
> Any help would be greatly appreciated.
> 
Your problem doesn''t seems to be shorewall related, the issue seems to
be in the link level, but unless you provide some facts, there is
nothing we can do for you.

On 5/16/06, Jason Bassett <jason_bassett@hotmail.com> wrote:
[snip]
> The result is that the conference site appears very very slowly and the
> images do not appear at all.  WIthout the firewall in place, the conference
> website appears with no issues.
[snip]

Just guessing here:
Could it be that your firewall blocks ICMP so that Path MTU Discovery
stops working?


Rune


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Rune Kock wrote:
> On 5/16/06, Jason Bassett <jason_bassett@hotmail.com> wrote:
> [snip]
> 
>> The result is that the conference site appears very very slowly and the
>> images do not appear at all.  WIthout the firewall in place, the
>> conference
>> website appears with no issues.
> 
> [snip]
> 
> Just guessing here:
> Could it be that your firewall blocks ICMP so that Path MTU Discovery
> stops working?
I had considered that as well, Rune, but I would have thought that a
Path MTU Discovery problem would have affected all three web sites equally.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key