Jamie Kline
2010-Jul-18 02:47 UTC
Ping out, DNS resolving, but only partially able to 80/21 out.
Hi Folks, I''ve been toying with Linux on and off for the past 10years, but ''have been off the wagon so-to-speak for a few so please bear with me. Fresh install of Slackware, kernel 2.6.29 Shorewall 4.4.10 eth0 is direct to dynamic-IP cable modem eth1 is static IP, 192.168.0.1/24 testing ''client'' (XP) behind firewall is static 192.168.0.2/24 with DNS manually defined (for now) Configured Shorewall per ''2-interface'' example. What DOES work: 1-access out of eth0 (from linux box) to net - port 80 and 21 work fine 2-ICMP both ways between testing client and eth1 3-ICMP from client to net 4-DNS is resolving for client 5-*partial* FTP connection from client to net (see below) What DOESN''T work: 1-Browser access from client to net 2-FTP will connect to ftp.ni.com, but after (anonymous) login, only *three lines* of banner displays, then pukes out. FTP immediately tested thereafter from linux box and it works fine - full banner, I can pull down files, etc. The log dump was taken after: 1-shorewall restart 2-client attempt to browse to www.google.com (failed) 3-client pinged www.google.com (worked) 4-client ftp to ftp.ni.com (partially worked, as described above). Any suggestions are greatly appreciated. I''m not sure if you can (easily) discern the contents of my configuration files from the log dump, so if you''d like to see them, by all means just ask. V/R, Jamie ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Tom Eastep
2010-Jul-18 03:07 UTC
Re: Ping out, DNS resolving, but only partially able to 80/21 out.
On 7/17/10 7:47 PM, Jamie Kline wrote:> Hi Folks, > > I''ve been toying with Linux on and off for the past 10years, but ''have > been off the wagon so-to-speak for a few so please bear with me. > > Fresh install of Slackware, kernel 2.6.29 > Shorewall 4.4.10 > > eth0 is direct to dynamic-IP cable modem > eth1 is static IP, 192.168.0.1/24 > testing ''client'' (XP) behind firewall is static 192.168.0.2/24 with > DNS manually defined (for now) > Configured Shorewall per ''2-interface'' example. > > What DOES work: > 1-access out of eth0 (from linux box) to net - port 80 and 21 work fine > 2-ICMP both ways between testing client and eth1 > 3-ICMP from client to net > 4-DNS is resolving for client > 5-*partial* FTP connection from client to net (see below) > > What DOESN''T work: > 1-Browser access from client to net > 2-FTP will connect to ftp.ni.com, but after (anonymous) login, only > *three lines* of banner displays, then pukes out. > > FTP immediately tested thereafter from linux box and it works fine - > full banner, I can pull down files, etc. > > The log dump was taken after: > 1-shorewall restart > 2-client attempt to browse to www.google.com (failed) > 3-client pinged www.google.com (worked) > 4-client ftp to ftp.ni.com (partially worked, as described above). > > Any suggestions are greatly appreciated. I''m not sure if you can > (easily) discern the contents of my configuration files from the log > dump, so if you''d like to see them, by all means just ask.Please see if setting CLAMPMSS=Yes in shorewall.conf helps. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Jamie Kline
2010-Jul-18 03:22 UTC
Re: Ping out, DNS resolving, but only partially able to 80/21 out.
That worked! Well, mostly. Now I get full FTP banner, but then (this is command-line from XP for what it''s worth), I''m dumped back to the prompt. FTP''ing through a browser lets me navigate directories, but more often than not, times out - a subsequent refresh brings the listing up. Care to elude? Thank you, Jamie On Sat, Jul 17, 2010 at 11:07 PM, Tom Eastep <teastep@shorewall.net> wrote:> On 7/17/10 7:47 PM, Jamie Kline wrote: >> Hi Folks, >> >> I''ve been toying with Linux on and off for the past 10years, but ''have >> been off the wagon so-to-speak for a few so please bear with me. >> >> Fresh install of Slackware, kernel 2.6.29 >> Shorewall 4.4.10 >> >> eth0 is direct to dynamic-IP cable modem >> eth1 is static IP, 192.168.0.1/24 >> testing ''client'' (XP) behind firewall is static 192.168.0.2/24 with >> DNS manually defined (for now) >> Configured Shorewall per ''2-interface'' example. >> >> What DOES work: >> 1-access out of eth0 (from linux box) to net - port 80 and 21 work fine >> 2-ICMP both ways between testing client and eth1 >> 3-ICMP from client to net >> 4-DNS is resolving for client >> 5-*partial* FTP connection from client to net (see below) >> >> What DOESN''T work: >> 1-Browser access from client to net >> 2-FTP will connect to ftp.ni.com, but after (anonymous) login, only >> *three lines* of banner displays, then pukes out. >> >> FTP immediately tested thereafter from linux box and it works fine - >> full banner, I can pull down files, etc. >> >> The log dump was taken after: >> 1-shorewall restart >> 2-client attempt to browse to www.google.com (failed) >> 3-client pinged www.google.com (worked) >> 4-client ftp to ftp.ni.com (partially worked, as described above). >> >> Any suggestions are greatly appreciated. I''m not sure if you can >> (easily) discern the contents of my configuration files from the log >> dump, so if you''d like to see them, by all means just ask. > > Please see if setting CLAMPMSS=Yes in shorewall.conf helps. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >-- “Be who you are and say what you feel because those who mind don''t matter and those who matter don''t mind.” - Dr. Suess ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Tom Eastep
2010-Jul-18 03:36 UTC
Re: Ping out, DNS resolving, but only partially able to 80/21 out.
On 7/17/10 8:22 PM, Jamie Kline wrote:> That worked! Well, mostly. Now I get full FTP banner, but then (this > is command-line from XP for what it''s worth), I''m dumped back to the > prompt. > > FTP''ing through a browser lets me navigate directories, but more often > than not, times out - a subsequent refresh brings the listing up. > > Care to elude?Not tonight. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Tom Eastep
2010-Jul-18 13:26 UTC
Re: Ping out, DNS resolving, but only partially able to 80/21 out.
On 7/17/10 8:22 PM, Jamie Kline wrote:> That worked! Well, mostly. Now I get full FTP banner, but then (this > is command-line from XP for what it''s worth), I''m dumped back to the > prompt. > > FTP''ing through a browser lets me navigate directories, but more often > than not, times out - a subsequent refresh brings the listing up. > > Care to elude?I have taken another look at the dump this morning and I see nothing in the firewall configuration that would explain this behavior. The firewall only rules on new connections; once a connection is allowed, the firewall just passes packets. If it were my system, the next thing I would do is to use a packet sniffer and see what is going on at the link level. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Jamie Kline
2010-Jul-18 14:51 UTC
Re: Ping out, DNS resolving, but only partially able to 80/21 out.
Restarted shorewall, fired up the sniffer, but everything seems OK now. No reports of congestion. I had previously checked eth1 NIC by swapping it to the net interface and the card seems to be working properly. Regards, Jamie On Sun, Jul 18, 2010 at 9:26 AM, Tom Eastep <teastep@shorewall.net> wrote:> On 7/17/10 8:22 PM, Jamie Kline wrote: >> That worked! Well, mostly. Now I get full FTP banner, but then (this >> is command-line from XP for what it''s worth), I''m dumped back to the >> prompt. >> >> FTP''ing through a browser lets me navigate directories, but more often >> than not, times out - a subsequent refresh brings the listing up. >> >> Care to elude? > > I have taken another look at the dump this morning and I see nothing in > the firewall configuration that would explain this behavior. The > firewall only rules on new connections; once a connection is allowed, > the firewall just passes packets. > > If it were my system, the next thing I would do is to use a packet > sniffer and see what is going on at the link level. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >-- “Be who you are and say what you feel because those who mind don''t matter and those who matter don''t mind.” - Dr. Suess ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first