You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ed Suominen <ge...@eepatents.com> on 2004/03/13 05:04:32 UTC
[users@httpd] Crazy Apache/Shorewall Problem
I have spent an embarassingly large number of hours today trying to get
Apache to serve stuff through iptables as configured by the Shorewall
firewall package.
After much logging, shorewall reloading, and packet sniffing, I found that
my router (192.168.254.254) is sending ICMP packets back to me when big
files are requested by some (but not all?!?!?) clients:
Mar 12 19:45:51 [kernel] DEBUG:IN
IN=eth1 OUT=
MAC=<whatever> SRC=192.168.254.254 DST=192.168.254.1
LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=22404 DF
PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.254.1 DST=69.57.157.43 LEN=1520
TOS=0x00 PREC=0x00 TTL=63 ID=54196 FRAG:64 PROTO=TCP ]
MTU=1492
The type and code mean "Fragmentation needed but no frag. bit set."
Shorewall drops ICMP packets, so I had to add the following
to /etc/shorewall/start:
iptables -I INPUT -i eth1 -s 192.168.254.254 -p icmp --icmp-type 3 -j
ACCEPT
Presumably, no one will be able to make my router send malicious ICMP
packets of type 3, all codes of which look pretty benign.
Not really asking for any help here, but curious if anyone knows of a fix
for the ICMP junk and if anyone has ever heard of this.
--
Ed Suominen
Registered Patent Agent
Open Source Developer (Yes, both...)
Web Site: http://www.eepatents.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Crazy Apache/Shorewall Problem
Posted by Ed Suominen <ge...@eepatents.com>.
Tom Eastep, the author of Shorewall, helped me figure this one out. He
wrote:
> What you are doing is a hack to work around some more fundimental problem.
> My guess is that the real problem is either that:
>
> a) You need CLAMPMSS=Yes in shorewall.conf but have CLAMPMSS=No ; or
Tried that, after ensuring that my kernel is properly configured. But it
didn't help -- still didn't work without my "--proto icmp" hack.
> b) On your internal network, the firewall has an MTU that is different
> from the MTU configured in the client systems.
Excellent tip! I changed the MTU of my Internet NIC to 1492 and it works
without the hack. (I left "CLAMPMSS=Yes" alone, figuring that's probably
the right setting whether it matters for this or not.)
I noticed during my packet sniffing that the "shorewall clear" (worked OK)
setup was sending 8 fewer bytes per packet than the "shorewall start" (bad
HTTP) setup, which is interesting given that 1500-1492=8.
Ed Suominen wrote:
> I have spent an embarassingly large number of hours today trying to get
> Apache to serve stuff through iptables as configured by the Shorewall
> firewall package.
>
> After much logging, shorewall reloading, and packet sniffing, I found
> that my router (192.168.254.254) is sending ICMP packets back to me when
> big files are requested by some (but not all?!?!?) clients:
>
> Mar 12 19:45:51 [kernel] DEBUG:IN
> IN=eth1 OUT=
> MAC=<whatever> SRC=192.168.254.254 DST=192.168.254.1
> LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=22404 DF
> PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.254.1 DST=69.57.157.43 LEN=1520
> TOS=0x00 PREC=0x00 TTL=63 ID=54196 FRAG:64 PROTO=TCP ]
> MTU=1492
>
> The type and code mean "Fragmentation needed but no frag. bit set."
>
> Shorewall drops ICMP packets, so I had to add the following
> to /etc/shorewall/start:
>
> iptables -I INPUT -i eth1 -s 192.168.254.254 -p icmp --icmp-type 3 -j
> ACCEPT
>
> Presumably, no one will be able to make my router send malicious ICMP
> packets of type 3, all codes of which look pretty benign.
>
> Not really asking for any help here, but curious if anyone knows of a fix
> for the ICMP junk and if anyone has ever heard of this.
>
> --
> Ed Suominen
> Registered Patent Agent
> Open Source Developer (Yes, both...)
> Web Site: http://www.eepatents.com
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
--
Ed Suominen
Registered Patent Agent
Open Source Developer (Yes, both...)
Web Site: http://www.eepatents.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Crazy Apache/Shorewall Problem
Posted by Nick Kew <ni...@webthing.com>.
On Fri, 12 Mar 2004, Ed Suominen wrote:
> After much logging, shorewall reloading, and packet sniffing, I found that
> my router (192.168.254.254) is sending ICMP packets back to me when big
> files are requested by some (but not all?!?!?) clients:
That screams "broken ECN in the router" to me, and the clients affected
will be those with ECN enabled.
Just another eye-of-newt for the cauldron. In view of your own followup,
I won't try to expand on it:-)
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org