shorewall-users April 2012 archive
Main Archive Page > Month Archives  > shorewall-users archives
shorewall-users: Re: [Shorewall-users] Shorewall 2 port fw probl

Re: [Shorewall-users] Shorewall 2 port fw problems with one specific internet host.

From: Tom Eastep <teastep_at_nospam>
Date: Tue Apr 17 2012 - 16:50:16 GMT
To: shorewall-users@lists.sourceforge.net

On 4/17/12 9:44 AM, Bruce Edge wrote:
>
>
> On Mon, Apr 16, 2012 at 3:26 PM, Tom Eastep <teastep@shorewall.net
> <mailto:teastep@shorewall.net>> wrote:
>
> On 04/16/2012 03:21 PM, Bruce Edge wrote:
> >
> >
> > On Mon, Apr 16, 2012 at 2:28 PM, Tom Eastep <teastep@shorewall.net
> <mailto:teastep@shorewall.net>
> > <mailto:teastep@shorewall.net <mailto:teastep@shorewall.net>>> wrote:
> >
> >
> > On Apr 16, 2012, at 1:48 PM, Bruce Edge <bruce.edge@gmail.com
> <mailto:bruce.edge@gmail.com>
> > <mailto:bruce.edge@gmail.com <mailto:bruce.edge@gmail.com>>>
> wrote:
> >
> >> Shorewall is, in general, working fine. Much better then ufw
> imho.
> >>
> >> I have one single problem with one single web site on a 2
> >> interface fw.
> >>
> >> If I plug into my cable modem directly, this site works fine.
> >>
> >> I cannot access: https://www5.v1host.com/ from behind shorewall.
> >> In fact, I can't get to it even from the fw itself.
> >>
> >> With the cable modem on eth0 of my fw, neither machines behind it
> >> on eth1, or the fw itself can get this one specific web site.
> >
> > If you temporarily 'shorewall clear', can you access the site from
> > the fw? (be sure to 'shorewall .
> > start' after testing.
> >
> > Tom
> >
> >
> > No, that's the part I don't understand. Even that doesn't work.
> >
> > Just to re-iterate for clarity, even after a "shorewall clear" I still
> > cannot access that site from either the fw or any machines behind it.
>
> Then I'm afraid that your problem has nothing to do with your Shorewall
> configuration.
>
>
> Not surprisingly, you were right.
>
> Just to followup in case this helps anyone else, I fixed this by forcing
> my MTU to 1500 on both interfaces.
> No clue why I only saw this on one specific site.

A misconfigured router between you and that site is breaking path MTU
discovery.

-Tom
-- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users