[Shorewall-users] Shorewall, rp-pppoe & big transfers

Joshua Banks l0f33t at yahoo.com
Mon Dec 15 14:49:01 PST 2003


After futher review I beleive that setting up your local machines with
an MTU of 1492 bytes and making sure the below "CLAMPMSS=Yes" is set in
"/etc/shorewall.conf", "Your kernel must
# have CONFIG_IP_NF_TARGET_TCPMSS set as well", and this
should do the trick. If it doesn't then I beleive that you've done
something on shorewall to not allow the needed "ICMP Fragmentation
Needed" packets back to the clients. Either that or the ICMP packets
are making it back but the client application that your running is
ignoring them. But the fact that you claim that a DLink router and some
other router didn't give you any trouble. 

So I suspect shorewall configuration tweaks needed. If not then packet
sniffs are going to definitely tell us whats happening.

HTH's,
Joshua Banks


--- Joshua Banks <l0f33t at yahoo.com> wrote:
> I forgot to append this to my previous response today:
> 
> #
> # MSS CLAMPING
> #
> # Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS
> to
> PMTU"
> # option. This option is most commonly required when your internet
> # interface is some variant of PPP (PPTP or PPPoE). Your kernel must
> # have CONFIG_IP_NF_TARGET_TCPMSS set.
> #
> # [From the kernel help:
> #
> #    This option adds a `TCPMSS' target, which allows you to alter
> the
> #    MSS value of TCP SYN packets, to control the maximum size for
> that
> #    connection (usually limiting it to your outgoing interface's MTU
> #    minus 40).
> #
> #    This is used to overcome criminally braindead ISPs or servers
> which
> #    block ICMP Fragmentation Needed packets.  The symptoms of this
> #    problem are that everything works fine from your Linux
> #    firewall/router, but machines behind it can never exchange large
> #    packets:
> #        1) Web browsers connect, then hang with no data received.
> #        2) Small mail works fine, but large emails hang.
> #        3) ssh works fine, but scp hangs after initial handshaking.
> # ]
> #
> # If left blank, or set to "No" or "no", the option is not enabled.
> #
> 
> --- Joshua Banks <l0f33t at yahoo.com> wrote:
> > 
> > --- Dominique Archambault <apox at yahoo.com> wrote:
> > > st1\:*{behavior:url(#default#ieooui) }
> > 
> > What is that stuff above. ICKY... :D
> > 
> > > First, thanks for replying! :)
> > 
> > No problem Dominique.
> > 
> > 
> > > I have to set the packetsize at 1464 or lower, same for Windows,
> to
> > > ping the host.
> > 
> > Yes.. This was one of the base facts I was looking for. You have a
> > max
> > mtu of 1492 bytes.
> > When you use ping with the options specified you told it to pad the
> > data payload of the packet with 1492 bytes and not to fragment the
> > packet in transit. Add an additional 20 bytes for the IP header and
> > another additional 8 bytes for the ICMP header and your 28 bytes
> over
> > your Max mtu of 1492. So your actual max (mss)or same as (your max
> > data
> > payload unfragemented) when sending ICMP is 1464 bytes. Or ICMP
> MSS=
> > MAX MTU -28 bytes. This will be the same when using applications
> that
> > utilize UDP.
> > 
> > When you have an application that is using TCP this will be MSS=
> MAX
> > MTU -40 to -44 bytes. IP header =20 bytes TCP header =20 to 24
> bytes.
> > (the other 4 bytes are for TCP options). For you, max TCP mss
> > unfragemented is 1448 bytes, or 1452 if no tcp options are used in
> > the
> > tcp header.
> > 
> > 
> > > To reestablish connection, Ihave to either wait until pppd
> restarts
> > > the connection automatically, or restartit manually. No DSLmodem
> > > power cycling or anything needs to be done...
> > 
> > And before shorewall was put in place to route/firewall/nat, you
> used
> > a
> > DLink router connected to the same cable modem?
> >  
> > 
> > > I will over the next 2-3days do some packet sniffing, and I'll
> > > try to get some interesting/relevant Logs...
> > 
> > This will help out allot.
> > 
> > > I'm not trying to blame Shorewall per say, just trying to figure
> > > out what's going on. Up to now, everything points to Shorewall,
> > > but it's mainly circumstantial evidence :) The Max MTU set on my
> > > PPPoE connection (in PPPoE config) is 1412,just in case. I tried
> > with
> > > various numbers between 1412 and 1492, but to noavail.
> > 
> > I'm sorry. I didn't mean to say you WERE blaming Shorewall. What I
> > meant to say was, "To establish that Shorewall is the problem we
> need
> > to gather so more solid facts."
> > 
> > Dominique, if this is something (the problem that your describing),
> > that you can replicate at will, then thats half the battle and
> makes
> > trouble shooting allot easier believe it or not. E.G. on an
> internal
> > windows machine install and start "ethereal" while doing one of
> your
> > big file transfers that causes your problem. 
> > Install "ehtereal on the Shorewall machine and have it sniff off
> > "ppp0"
> > at the same time you doing the huge file transfer.
> > 
> > Both ethereal captures along with the Shorewall logs and the info
> > that
> > your providing here in this post and the next should isolate where
> > the
> > problem is actually occurring.
> > 
> > You said:
> > >The Max MTU set on my PPPoE connection (in PPPoE config) is
> > 1412,just
> > >in case.I tried with various numbers between 1412 and 1492, but to
> > >noavail.
> > 
> > My response:
> > Did you do this on the machine running Shorewall or a machine
> behind
> > Shorewall?
> > 
> > My recommendation is to set your mtu on a windows machine too a
> more
> > than safe minimum of 1448 bytes. Turn on ethereal on this machine
> and
> > the shorewall machine and start your big file transfer on this
> > machine.
> > (For adjusting MTU values on windows 9x machines I reccommend an
> app
> > called Dr. Tcp.) Google it and you'll find it. This way you don't
> > have
> > to mess with the registry. This app does it for you on the fly.
> Make
> > sure to read the documentation. There's not much to read.
> > 
> > I noticed that you had eth0 and eth1. Tell us a little more about
> > your
> > network please. I.E. which one is local and which is your Dmz?
> > 
> > So is this something that you can replicate?
> > 
> > If so then what kind of application are you using?Brand name
> > please...
> > to do what kind of file transfers? Ftp, smtp, http, tftp, telnet,
> > rsync....(and for those, any particular flavor) apache, proftp,
> > postfix, qmail sendmail..yada..yadd..yada.. ?? Are you uploading or
> > downloading??. Is this using Tcp, Udp, Ipsec ect.. ect...
> > 
> > And just to make sure I understand you correctly this is happening
> > when
> > internal clients are transferring big files to servers out on the
> > EXteranl internet somewhere?? Not a server on the dmz or a server
> > located on an internal WAN? 
> > 
> > Thanks,
> > Joshua Banks
> > 
> > __________________________________
> > Do you Yahoo!?
> > New Yahoo! Photos - easier uploading and sharing.
> > http://photos.yahoo.com/
> > _______________________________________________
> > Shorewall-users mailing list
> > Post: Shorewall-users at lists.shorewall.net
> > Subscribe/Unsubscribe:
> > https://lists.shorewall.net/mailman/listinfo/shorewall-users
> > Support: http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
> 
> 
> __________________________________
> Do you Yahoo!?
> New Yahoo! Photos - easier uploading and sharing.
> http://photos.yahoo.com/
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users at lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm


__________________________________
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing.
http://photos.yahoo.com/


More information about the Shorewall-users mailing list