On Sun, Mar 19, 2006 at 01:37:39AM +0100, Krzysztof Oledzki wrote:
>
>
> On Fri, 17 Mar 2006, Alexander Samad wrote:
>
> >Hi
> >
> >I was resently setting up my new firewall usimng openwrt on a linksys.
> >
> >I got around to setting up my adsl connection and added into my iptables
> >these commands
> >
> >
> >
> >$IPT -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> >$IPT -t filter -A FORWARD -o $WANADSL -p tcp --tcp-flags SYN,RST SYN -j
> >TCPMSS --clamp-mss-to-pmtu
> >$IPT -t nat -A POSTROUTING -o $WANADSL -j MASQUERADE
> >
> >which is what I have normally done.
> >
> >http traffic worked well, but ftp of large files, timed out, sign of a
> >mtu problem. It worked when I ftp'ed from the firewall, but not when I
> >did it from behind the firewall.
> >
> >When I did some tcpdumps, I noticed that the second connection created
> >by the client wasn't being clamp'ed.
> >
> >The way I figure it was that the second connection was related to the
> >first one, and thus being consumed by the first line in iptables (above)
> >
> >Once I changed the order of line 1 and 2 every thing worked fine.
> >
> >Now openwrt uses 2.4.30, and my previous firewall used 2.6 and I believe
> >it was setup as shown above and it worked fine.
> >
> >The other difference is that conntrack_ftp is compiled into the kernel.
> >
> >Is this a know feature/bug ? why has it worked in 2.6 and not in 2.4 or
> >is the problem in compiled in and as a module
>
> The solution is simple: TCPMSS should be used only in mangle table.
> Anyway, if you didn't change the configuration I have no idea why it
> worked in 2.6 and does not work in 2.4.
makes sense, ran foul of the man page
Workaround: activate this option and add a rule to your firewall
configuration like:
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
-j TCPMSS --clamp-mss-to-pmtu
>
> Best regards,
>
> Krzysztof Ol?dzki
Attachment:
signature.asc
Description: Digital signature
