Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
Re: [suse-security] Access to some webservers through firewall
  • From: Andreas Baetz <andreas.baetz@xxxxxxxx>
  • Date: Wed, 5 Dec 2001 13:38:49 +0100
  • Message-id: <01120513384900.10370@pp1>
On Wednesday 05 December 2001 11:32, Ralf Ronneburger wrote:
> Hello Andreas,
> Actually there is some reply from the server, the whole conversation
> between the two of them is this:
> 10:09:40.228711 > S
> 120893175:120893175(0) win 5808 <mss 1452,sackOK,timestamp 73022819
> 0,nop,wscale 0> (DF)
> 10:09:40.271757 > S
> 3703832914:3703832914(0) ack 120893176 win 31944 <mss
> 1452,sackOK,timestamp 110780581 73022819,nop,wscale 0> (DF)
> 10:09:40.271973 > . ack 1 win 5808
> <nop,nop,timestamp 73022824 110780581> (DF)
> 10:09:40.272986 > P 1:533(532) ack
> 1 win 5808 <nop,nop,timestamp 73022824 110780581> (DF)
> 10:09:40.343660 > . ack 533 win
> 31944 <nop,nop,timestamp 110780589 73022824> (DF)
The packets go out with an mss of 1452, that is your pmtu should
be 1492 (mss+20+20)
Is your mtu (and mru) set to 1492 ? (I would suppose it is set to a smaller value)

> Now does it still make sense to try, what you've told me to do?
First I would check if your mtu (mru) are set to 1492.
Your mss seems to be set as if this was your mtu.

> And what is the desease I'm curing with that?
As far as I understand it:
Your running pppoe. That means your ip packets (ppp0) are wrapped
in pppoe packets, which are sent through your eth interface. This adds
8 bytes. Your eth Interface has an mtu of 1500, so your pppd should have
an mtu of 1492. The server has to be told to send only packets with max
1492 bytes so they can be wrapped in pppoe (by the isp router).
This is done with the "-j TCPMSS --clamp-mss-to-pmtu" rule. It discovers
your pmtu and sets mss accordingly.
If the server sends larger packets, they don't reach your eth Interface.
The server is told by the mss value how big the max packet size should
be. Now this seems to work. But if your mtu of your ppp0 Interface is smaller
than 1492, <speculation> your isp router knows about this from the ppp
negotiation and doesn't send you those packets. Now it could tell the
server that it should fragment the packet, which doesn't work in some
cases etc. </speculation>

But I could be totally wrong and would appreciate any correction.

Andreas Baetz

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been scanned
for the presence of computer viruses.

< Previous Next >
This Thread