You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ed Suominen <ge...@eepatents.com> on 2004/03/13 06:21:35 UTC
[users@httpd] Re: Crazy Apache/Shorewall Problem
Tom Eastep, the author of Shorewall, helped me figure this one out. He
wrote:
> What you are doing is a hack to work around some more fundimental problem.
> My guess is that the real problem is either that:
>
> a) You need CLAMPMSS=Yes in shorewall.conf but have CLAMPMSS=No ; or
Tried that, after ensuring that my kernel is properly configured. But it
didn't help -- still didn't work without my "--proto icmp" hack.
> b) On your internal network, the firewall has an MTU that is different
> from the MTU configured in the client systems.
Excellent tip! I changed the MTU of my Internet NIC to 1492 and it works
without the hack. (I left "CLAMPMSS=Yes" alone, figuring that's probably
the right setting whether it matters for this or not.)
I noticed during my packet sniffing that the "shorewall clear" (worked OK)
setup was sending 8 fewer bytes per packet than the "shorewall start" (bad
HTTP) setup, which is interesting given that 1500-1492=8.
Ed Suominen wrote:
> I have spent an embarassingly large number of hours today trying to get
> Apache to serve stuff through iptables as configured by the Shorewall
> firewall package.
>
> After much logging, shorewall reloading, and packet sniffing, I found
> that my router (192.168.254.254) is sending ICMP packets back to me when
> big files are requested by some (but not all?!?!?) clients:
>
> Mar 12 19:45:51 [kernel] DEBUG:IN
> IN=eth1 OUT=
> MAC=<whatever> SRC=192.168.254.254 DST=192.168.254.1
> LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=22404 DF
> PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.254.1 DST=69.57.157.43 LEN=1520
> TOS=0x00 PREC=0x00 TTL=63 ID=54196 FRAG:64 PROTO=TCP ]
> MTU=1492
>
> The type and code mean "Fragmentation needed but no frag. bit set."
>
> Shorewall drops ICMP packets, so I had to add the following
> to /etc/shorewall/start:
>
> iptables -I INPUT -i eth1 -s 192.168.254.254 -p icmp --icmp-type 3 -j
> ACCEPT
>
> Presumably, no one will be able to make my router send malicious ICMP
> packets of type 3, all codes of which look pretty benign.
>
> Not really asking for any help here, but curious if anyone knows of a fix
> for the ICMP junk and if anyone has ever heard of this.
>
> --
> Ed Suominen
> Registered Patent Agent
> Open Source Developer (Yes, both...)
> Web Site: http://www.eepatents.com
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
--
Ed Suominen
Registered Patent Agent
Open Source Developer (Yes, both...)
Web Site: http://www.eepatents.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org