On Wed, 2004-12-01 at 05:18, Terry Hancock wrote: <snip> > "Fragments"? bingo. > Why only from certain web servers? > e.g.: > http://www.tera-byte.com > http://www.poalo.com > http://www.paypal.com because the reply packets form those sites break the "need-to-frag" threshold. > How can I verify what is and is not being dropped? tcpdump on your firewall's external interface for ICMP Type 3 Code 4 packets. > Some details: <snip> one detail that would've been nice would be the output of "ip link show" so that we could see the MTU of ppp0... generically--try this: iptables -I FORWARD -p tcp --tcp-flags --syn \ -j TCPMSS --clamp-mss-to-pmtu if that doesn't help: $MYMSS="$MTU_OF_PPP0 - 40" iptables -I FORWARD -p tcp --tcp-flags --syn \ -j TCPMSS --set-mss $MYMSS -j -- "Me lose brain? Uh, oh! Ha ha ha! Why I laugh?" --The Simpsons
