[Shorewall-users] Shorewall, rp-pppoe & big transfers

Joshua Banks l0f33t at yahoo.com
Mon Dec 15 08:01:42 PST 2003


I forgot to append this to my previous response today:

#
# MSS CLAMPING
#
# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to
PMTU"
# option. This option is most commonly required when your internet
# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
# have CONFIG_IP_NF_TARGET_TCPMSS set.
#
# [From the kernel help:
#
#    This option adds a `TCPMSS' target, which allows you to alter the
#    MSS value of TCP SYN packets, to control the maximum size for that
#    connection (usually limiting it to your outgoing interface's MTU
#    minus 40).
#
#    This is used to overcome criminally braindead ISPs or servers
which
#    block ICMP Fragmentation Needed packets.  The symptoms of this
#    problem are that everything works fine from your Linux
#    firewall/router, but machines behind it can never exchange large
#    packets:
#        1) Web browsers connect, then hang with no data received.
#        2) Small mail works fine, but large emails hang.
#        3) ssh works fine, but scp hangs after initial handshaking.
# ]
#
# If left blank, or set to "No" or "no", the option is not enabled.
#

--- Joshua Banks <l0f33t at yahoo.com> wrote:
> 
> --- Dominique Archambault <apox at yahoo.com> wrote:
> > st1\:*{behavior:url(#default#ieooui) }
> 
> What is that stuff above. ICKY... :D
> 
> > First, thanks for replying! :)
> 
> No problem Dominique.
> 
> 
> > I have to set the packetsize at 1464 or lower, same for Windows, to
> > ping the host.
> 
> Yes.. This was one of the base facts I was looking for. You have a
> max
> mtu of 1492 bytes.
> When you use ping with the options specified you told it to pad the
> data payload of the packet with 1492 bytes and not to fragment the
> packet in transit. Add an additional 20 bytes for the IP header and
> another additional 8 bytes for the ICMP header and your 28 bytes over
> your Max mtu of 1492. So your actual max (mss)or same as (your max
> data
> payload unfragemented) when sending ICMP is 1464 bytes. Or ICMP MSS=
> MAX MTU -28 bytes. This will be the same when using applications that
> utilize UDP.
> 
> When you have an application that is using TCP this will be MSS= MAX
> MTU -40 to -44 bytes. IP header =20 bytes TCP header =20 to 24 bytes.
> (the other 4 bytes are for TCP options). For you, max TCP mss
> unfragemented is 1448 bytes, or 1452 if no tcp options are used in
> the
> tcp header.
> 
> 
> > To reestablish connection, Ihave to either wait until pppd restarts
> > the connection automatically, or restartit manually. No DSLmodem
> > power cycling or anything needs to be done...
> 
> And before shorewall was put in place to route/firewall/nat, you used
> a
> DLink router connected to the same cable modem?
>  
> 
> > I will over the next 2-3days do some packet sniffing, and I'll
> > try to get some interesting/relevant Logs...
> 
> This will help out allot.
> 
> > I'm not trying to blame Shorewall per say, just trying to figure
> > out what's going on. Up to now, everything points to Shorewall,
> > but it's mainly circumstantial evidence :) The Max MTU set on my
> > PPPoE connection (in PPPoE config) is 1412,just in case. I tried
> with
> > various numbers between 1412 and 1492, but to noavail.
> 
> I'm sorry. I didn't mean to say you WERE blaming Shorewall. What I
> meant to say was, "To establish that Shorewall is the problem we need
> to gather so more solid facts."
> 
> Dominique, if this is something (the problem that your describing),
> that you can replicate at will, then thats half the battle and makes
> trouble shooting allot easier believe it or not. E.G. on an internal
> windows machine install and start "ethereal" while doing one of your
> big file transfers that causes your problem. 
> Install "ehtereal on the Shorewall machine and have it sniff off
> "ppp0"
> at the same time you doing the huge file transfer.
> 
> Both ethereal captures along with the Shorewall logs and the info
> that
> your providing here in this post and the next should isolate where
> the
> problem is actually occurring.
> 
> You said:
> >The Max MTU set on my PPPoE connection (in PPPoE config) is
> 1412,just
> >in case.I tried with various numbers between 1412 and 1492, but to
> >noavail.
> 
> My response:
> Did you do this on the machine running Shorewall or a machine behind
> Shorewall?
> 
> My recommendation is to set your mtu on a windows machine too a more
> than safe minimum of 1448 bytes. Turn on ethereal on this machine and
> the shorewall machine and start your big file transfer on this
> machine.
> (For adjusting MTU values on windows 9x machines I reccommend an app
> called Dr. Tcp.) Google it and you'll find it. This way you don't
> have
> to mess with the registry. This app does it for you on the fly. Make
> sure to read the documentation. There's not much to read.
> 
> I noticed that you had eth0 and eth1. Tell us a little more about
> your
> network please. I.E. which one is local and which is your Dmz?
> 
> So is this something that you can replicate?
> 
> If so then what kind of application are you using?Brand name
> please...
> to do what kind of file transfers? Ftp, smtp, http, tftp, telnet,
> rsync....(and for those, any particular flavor) apache, proftp,
> postfix, qmail sendmail..yada..yadd..yada.. ?? Are you uploading or
> downloading??. Is this using Tcp, Udp, Ipsec ect.. ect...
> 
> And just to make sure I understand you correctly this is happening
> when
> internal clients are transferring big files to servers out on the
> EXteranl internet somewhere?? Not a server on the dmz or a server
> located on an internal WAN? 
> 
> Thanks,
> Joshua Banks
> 
> __________________________________
> Do you Yahoo!?
> New Yahoo! Photos - easier uploading and sharing.
> http://photos.yahoo.com/
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users at lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm


__________________________________
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing.
http://photos.yahoo.com/


More information about the Shorewall-users mailing list