Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
Re: [suse-security] Access to some webservers through firewall
  • From: Ralf Ronneburger <ralf@xxxxxxxxxxxxxx>
  • Date: Thu, 06 Dec 2001 11:25:44 +0100
  • Message-id: <3C0F47A8.5030304@xxxxxxxxxxxxxx>
Hi Andreas,

thank you very much, now it works! All I've done is to adjust the values
of mtu and mru from 1490 to 1492 in /etc/ppp/peers/pppoe. Although my
ifconfig told me before, that mtu was set to 1492... Anyway, as I did
not have any idea, how to adapt your iptables-rule to my configuration I
first tried it without that and it seems to be enough. Now I can surf
every site on the internet again, isn't that great! Thank you again for
your help!

Best regards,

Ralf Ronneburger

Andreas Baetz wrote:

> On Wednesday 05 December 2001 17:39, you wrote:
>
>>Hallo Andreas,
>>
>>sorry for replying in private, but I think this is getting a little OT
>>for suse-security...
>>
>>My mtu is set to 1492, as it's supposed to be. This does make sense to
>>me, too, because the packages originate from the firewall, as the proxy
>>is running there, so it should know, what packages it can accept... Any
>>other idea?
>>
>>
> OK, this is what I did:
> I have a router with SuSE 7.3. I configured ppp0 with yast2 (textmode)
> and ADSL Config module (not TDSL). With this config, the mtu + mru was
> set to 1490 (etc/ppp/peers/pppoe I think). I had a iptables script made by my
> own. From behind the router, I could access almost all sites, but not gmx.net.
> BTW, the site was not accessible from the router, too.
> So I captured the packets on ppp0, and on my browser machine. They looked
> the same, so forwarding and masq was ok. The packets I got resemble the
> ones you got (handshake ok, get request goes out, but no data from server
> come in). So i put
> "iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu"
> as the first forward rule in my firewall script and restartet my firewall.
> Nothing. In the pppd debug output I saw they were negotiating mtu to be 1490.
> Then I changed the mtu and mru to 1492, killed pppd and restartet smpppd.
>>From then on I could access gmx.net, bahn.de etc, also from my browser machine.
> The page of gmx.net doesn't show up with all pictures in konqueror, but in
> netscape6 it does. I dunno if this has something todo with it.
> It seems that default SuSE kernel comes with tcpmss target support enabled.
>
> If you find another solution, would you please let me know ?
>
> best regards
>
> Andreas Baetz
>
>
> **********************************************************************
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote also confirms that this email message has been scanned
> for the presence of computer viruses.
> **********************************************************************
>
>
>




< Previous Next >
This Thread
References