Hi Mattias, On Thu, 03 Dec 2009 23:22:47 +0100 Mattias Rönnblom <hofors@xxxxxxxxxxxxxx> wrote: > I'll do some guessing here. It looks like the first large (MSS-sized) > segment is lost. I've seen this happening in networks where Path MTU > Discovery didn't work (because ICMP Fragmentation Needed was > filtered). you're absolutely right. I could solve my problem with either allow any icmp traffic from outside to any destination or use the clamp-to-pmtu in the server settings for the firewall. This is a switch in fwbuilder. Why is such an ICMP message not RELATED in the meaning of echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" with a _related_ tcp connection? Thanks a lot anyway!! Lars -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
