Search This Blog

Friday, October 22, 2010

Re: firewalls and MTU - identifying problem if any

Am Freitag, den 22.10.2010, 13:36 +0100 schrieb Adam Hardy:
> I have a small LAN at home connected up to the net via a DSL modem on a gateway
> machine running lenny and iptables.
>
> I have a problem with some software running on a windows machine on the LAN
> where the company who wrote the sofware say that there must be something wrong
> with my internet connection, but can't help any further.

You can set a log-target in your firewall for these windows mashine, so
you can see what connection the mashine want to do.
I think on

iptables -A FORWARD -s <windows-IP> -o <DSL-device> \
-m state --state NEW -j LOG --log-prefix 'WIN-LOG: '

Than start the software and look into the logfiles on linux what
happens.

> I'd like to know what tests I can run to verify that my config and my firewall
> are OK, especially regarding PMTU.
>
> I had an issue before this which I solved by adding some ICMP related rules to
> iptables, and by disabling the firewall on my DSL modem, which is undocumented
> by the manufacturer (and denied by their Support). It's iptables running on an
> embedded linux and resets itself every power cycle. I think it does ICMP
> clamping but I can telnet onto the modem and drop the rules (as long as I
> remember).
>
> What can I do with ping? This ping command gives suspicious results:
>
> ping -s 1473 mktgw1.ibllc.com
>
> One byte less and it works. Fragmentation also works for normal websites like
> news.bbc.co.uk.

How work your DSL-Link? I think its work with PPPoE. In this case, the
MTU is 1472. The MTU for the PPPoE can you set in your ppp-options.

> I'd massively appreciate any help with this! I'm stuck with either my own
> mistake, or until I can prove I haven't made one.
>
> Thanks
> Adam

np Sascha


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/1287755415.4569.11.camel@localhost.localdomain

No comments: