Lars Täuber wrote: > Hi Mattias, > > On Thu, 03 Dec 2009 23:22:47 +0100 Mattias Rönnblom <hofors@xxxxxxxxxxxxxx> wrote: >> I'll do some guessing here. It looks like the first large (MSS-sized) >> segment is lost. I've seen this happening in networks where Path MTU >> Discovery didn't work (because ICMP Fragmentation Needed was >> filtered). > > you're absolutely right. > I could solve my problem with either allow any icmp traffic from outside to any destination or use the clamp-to-pmtu in the server settings for the firewall. This is a switch in fwbuilder. > > Why is such an ICMP message not RELATED in the meaning of > echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" > with a _related_ tcp connection? It should be. Please post a dump of the relevant ICMP message and the connection tuples from /proc/net/nf_conntrack for the original TCP connection. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
