On Wednesday 2010-06-09 10:00, Tvrtko Ursulin wrote: > >Firewall rules do not mention ICMP and I can ping outside world so I guess >that means it is not blocked? ICMP is not just ping, there is more like PMTUD and others. If PMTUD works on your side, you don't need TCPMSS. >I tried doing "ifconfig eth0 mtu 1452" on the client and that did not help. Just for the record, do _not_ use ifconfig, but ip in the future. >Site I was testing with is http://www.tesco.com/superstore/ . This page does >not load unless MTU 1400 is set on the client. >> If not: SACK/DSACK/FACK is broken in 2.6.18 (dunno when it was fixed, >> but 2.6.25 looks good), and if either client or server make use >> of it, things can hang once SACKs are exchanged. > >My clients are 2.6.31 - 2.6.34, but the router/firewall is running 2.6.21.5. Well try deactivating sack/dsack/fack then (that's in sysctl). -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
