Re: [suse-security] *weird* Apache/Firewall problem.
From what you say here, your DMZ is *INSIDE* your protected network. This won't work, or at least this is not a DMZ.
Internal network (masqueraded): 192.168.1.0/24
DMZ (masqueraded): 192.168.10.0/24 (note that third number, ten instead of one)
I was being put off track by your reference to 192.168.0.0/16 But if you only use it to filter packets on the FW and not to route them, it should be Ok. So, addresses, route and masqueraded networks seems ok too...
Per my last post, here's me navigating from the first page which I see, minus the .GIF's, down through the /usr/doc link to:
So, only the GIF's seems to be broken... can you try other big files? a JPG for example? Also, what happens if you try to browse http://ii.jj.kk.ll/gif/penguin.gif and, what happens if you try to do, from your home PC, a telnet ii.jj.kk.ll 80 GET /gif/penguin.gif
I've posted some of the relevant parts... Do you need me to post the whole thing?
No... The linux packet filter is not intelligent enough to tell apart GIFs from HTML docs... ;-) I suspect something strange is happening... did you checked the MTU between your home pc and your FW? Using windows, you can use the -f paramenter of ping, and then specify a big ping packet size. This way, you can tell if there's a non-fragmenting router somewhere inbetween. BTW, did you ckeck that from other hosts on the 'net loading the page show the same behaviour?
Thanks for the help. :-)
I'd like to have been able to... ;-) Ciao, Roberto. P.S. My delayed reply is due to Telecom Italia network problems... Two days down... ;-(
Roberto writes:
So, addresses, route and masqueraded networks seems ok too...
Yup, and you'll never believe what the problem was. It wasn't our network at all. Our ISP has three caching web servers. I shut down the firewall's forwarding of port 80 to the web server on our DMZ segment. I then told the SSH Daemon on the firewall to listen on ports 22, 79, 80, 81, and 8889 (just for giggles). The tech's at our ISP could get a response from the SSH Daemon on ports 22, 79, 81, and 8889, but NOT port 80. (You should have heard some of the responses as their third tier support personnel got involved... "Why the hell is he running SSH on port 80??" *laugh*) I finally spoke with "that one guy" that lives at every good ISP. You know, the sysadmin who walks on water, calms a troubled rack of servers with a gentle gesture, and ... knows things. }:> He figured out that their caching servers for web traffic might be getting in our way. What had happened was that I had limited connections to our web server to: 192.168.16.0/24 (both our internal networks), a bank of machines at our client's work place, and my home firewall. The caching web servers were _not_ permitted access. Our logs show their caching servers being denied quite a number of times as they tried to connect to us on port 80. Eventually, they cached the connection error on all three servers, and then when I set all the configs back to normal and opened our web server to the world... The caching servers at our ISP would simply tell all inbound traffic that port 80 at our site was down. It's solved, my ISP is now fully aware of the problem, and is working on it. They're following up with CISCO. They've already called me back at home with an update to let me know what's going on. It was three hours on the phone, but after having experience horrible ISP's over the past few years, I felt _very_ well taken care of by our businesses' current ISP. That's something you don't get the opportunity to say every day. If anyone's interested, we use Everest (www.everestgt.com). Thank you so much for hanging in there with me and trying to help Robert. If nothing else, the moral support was very appreciated. :-)
P.S. My delayed reply is due to Telecom Italia network problems... Two days down... ;-(
Sorry to hear you're having problems with your ISP Roberto. Hopefully they'll pull things together for you. Sincerely, Argentium
participants (2)
-
Argentium G. Tiger
-
r.maurizzi@gvs.it