In message <39B5DD23.8C5D46DC@xxxxxxxxxxxxxxxxxx> you write:
> I'm having trouble with linux kernel 2.4.0-test7 reguarding the
> Networking
> Options / IP: Netfilter Configuration / ipchains (2.2-style) support.
> Here is
> what I am experiencing:
> 1) When using a linux client behind the firewall, I can browse to
> www1.sympatico.ca using lynx no problem. However, when I use Netscape it
> says
> it's Transferring data from the site but nothing happens. It just sits
> there.
Looks like classic ICMP DF problem. The MTU of your PPPoE link is <
1500, and these machines are filtering out ICMPs, so they don't get
back to them (from the ISP's PPPoE end).
This is not a problem with Linux at all, but to prove it (we've had
ICMP translation problems in the past in the 2.4 series), you can do a
tcpdump from a client (tcpdump -s1514 -x -n -p), then try to access
one of these `bad' sites with netscape.
You should see a successful TCP handshake, then netscape trying to
send a big (1500-byte) packet, then the firewall sending an `ICMP
unreachable: Fragmentation Needed', then netscape sending a smaller
packet, which gets through (you'll see an ACK)...
If this is the case, there are several solutions:
1) Complain loudly to the sites which are blocking ICMP unreachable
errors. They are shooting themselves in the foot.
2) Reduce the MTU of every ethernet interface inside your network to
that of the PPPoE link.
3) Use the CVS version of iptables, and do `make patch-o-matic': apply
the TCPMSS patch, recompile the kernel, then use that to mangle the
MSS of outgoing TCP packets.
Sorry,
Rusty.
--
Hacking time.
|