Hi Andreas, thank you very much, now it works! All I've done is to adjust the values of mtu and mru from 1490 to 1492 in /etc/ppp/peers/pppoe. Although my ifconfig told me before, that mtu was set to 1492... Anyway, as I did not have any idea, how to adapt your iptables-rule to my configuration I first tried it without that and it seems to be enough. Now I can surf every site on the internet again, isn't that great! Thank you again for your help! Best regards, Ralf Ronneburger Andreas Baetz wrote:
On Wednesday 05 December 2001 17:39, you wrote:
Hallo Andreas,
sorry for replying in private, but I think this is getting a little OT for suse-security...
My mtu is set to 1492, as it's supposed to be. This does make sense to me, too, because the packages originate from the firewall, as the proxy is running there, so it should know, what packages it can accept... Any other idea?
OK, this is what I did: I have a router with SuSE 7.3. I configured ppp0 with yast2 (textmode) and ADSL Config module (not TDSL). With this config, the mtu + mru was set to 1490 (etc/ppp/peers/pppoe I think). I had a iptables script made by my own. From behind the router, I could access almost all sites, but not gmx.net. BTW, the site was not accessible from the router, too. So I captured the packets on ppp0, and on my browser machine. They looked the same, so forwarding and masq was ok. The packets I got resemble the ones you got (handshake ok, get request goes out, but no data from server come in). So i put "iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" as the first forward rule in my firewall script and restartet my firewall. Nothing. In the pppd debug output I saw they were negotiating mtu to be 1490. Then I changed the mtu and mru to 1492, killed pppd and restartet smpppd.
From then on I could access gmx.net, bahn.de etc, also from my browser machine. The page of gmx.net doesn't show up with all pictures in konqueror, but in netscape6 it does. I dunno if this has something todo with it. It seems that default SuSE kernel comes with tcpmss target support enabled.
If you find another solution, would you please let me know ?
best regards
Andreas Baetz
********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager.
This footnote also confirms that this email message has been scanned for the presence of computer viruses. **********************************************************************