Re: Problem viewing some web pages

To: snx@ifrance.com
Cc: debian-firewall@lists.debian.org
Subject: Re: Problem viewing some web pages
From: Giacomo Mulas <gmulas@ca.astro.it>
Date: Thu, 8 Feb 2001 10:47:37 +0100 (CET)
Message-id: <[🔎] Pine.LNX.4.21.0102081024500.1879-100000@capitanata.ca.astro.it>
In-reply-to: <[🔎] 200102071927.3b07@lh00.opsion.fr>

On Wed, 7 Feb 2001 snx@ifrance.com wrote:

> I have a PC with woody as firewall with kernel 2.2.14
> I use masquarading.
> My host machine is a woody to with kernel 2.4.0
> I've noticed that some web site like
> www.club-internet.fr
> is not viewable from the host machine.
> If I ssh to my firewall machine and launch lynx
> http://www.club-internet.fr/  the content of the site
> is shown.
> But doing the same on the host => host contacted
> waiting for reply. But the reply never comes !
> This happens with some other sites.
> I've tried with windows on the host machine => the
> same.

This has probably nothing to do with masquerading. The host that has
problems connecting to some web sites runs a 2.4.x kernel, and 2.4.x
kernels support explicit congestion notification (ECN), which means that
some (previously reserved) bits in the TCP headers are set in a particular
way and this confuses some dumb routers that react rejecting them. The
real solution would be to upgrade those routers, but I suspect that this
may be out of your hands, as they are scattered around the Internet... The
(hopefully temporary) workaround is to disable ECN on your host, doing
something like

echo 0 > /proc/sys/net/ipv4/tcp_ecn

If you want this to be be done automatically at startup, you can install
one of the many debian packages that give you the possibility to save  
kernel tuning options and restore them upon boot, such as e. g. sysctl,
powertweak etc. (there are many possibilities).

Recently a big time flame war exploded in the linux-kernel mailing list
between people that wanted to implement a workaround directly in the
kernel, to automatically retry failed connections with ECN disabled
(breaking strict compliance to TCP/IP specifications) and people that
wanted instead to be as strict as possible, to force an upgrade of broken
routers around the world. I did not read to the end of it, but I think
neither decision was taken.

Hope this helps you
Giacomo

_________________________________________________________________

Giacomo Mulas <gmulas@ca.astro.it, gmulas@tiscalinet.it>
_________________________________________________________________

OSSERVATORIO  ASTRONOMICO
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel.: +39 070 71180 216     Fax : +39 070 71180 222
_________________________________________________________________

"When the storms are raging around you, stay right where you are"
                         (Freddy Mercury)
_________________________________________________________________

Reply to:

Follow-Ups:
- Re: Problem viewing some web pages
  - From: Jan Ludewig <neuro@gate5.de>

References:
- Problem viewing some web pages
  - From: <snx@ifrance.com>

Prev by Date: Re: Port Forwarding
Next by Date: Re: Problem viewing some web pages
Previous by thread: Re: Problem viewing some web pages (RESOLVED)
Next by thread: Re: Problem viewing some web pages
Index(es):
- Date
- Thread