Re: Changes to /etc/init.d/networking

To: debian-firewall@lists.debian.org
Subject: Re: Changes to /etc/init.d/networking
From: Gordon Sadler <gbsadler1@lcisp.com>
Date: Fri, 13 Apr 2001 20:51:50 -0500
Message-id: <20010413205150.A30900@lcisp.com>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <3AD6FF06.45FE3C4F@telusplanet.net>; from linuxbox@telusplanet.net on Fri, Apr 13, 2001 at 07:28:38AM -0600
References: <3AD6CA08.3105A4EC@telusplanet.net> <20010414091004.B29594@piro.kabuki.openfridge.net> <3AD6EF9D.B2935142@telusplanet.net> <20010414110540.A30074@piro.kabuki.openfridge.net> <3AD6FF06.45FE3C4F@telusplanet.net>

On Fri, Apr 13, 2001 at 07:28:38AM -0600, Stefan Srdic wrote:
> Daniel Stone wrote:
> 
> > Well, there's been a raging debate on linux-kernel about this. Basically,
> > some Cisco routers are broken, as the (outdated) RFC specified that this
> > field (the one for ECN) was "reserved", so Cisco took that to mean "must be
> > zero". Hence, when you turn ECN on, a lot of Cisco routers drop the packet -
> > including the ones for Hotmail, etc.
> >
> > Hope this helps,
> > :) d
> 
> That could explain a few problems that I have been having while attempting to
> download from the net through my Windows clients, maybe it would be best to leave
> ECN to its default value (off) untill further investigation proves otherwise. Funny
> how there was no mention of this in the kernel documentation.
> 
linux/Documentation/Configure.help:
TCP Explicit Congestion Notification support
CONFIG_INET_ECN
  Explicit Congestion Notification (ECN) allows routers to notify
  clients about network congestion, resulting in fewer dropped packets
  and increased network performance. This option adds ECN support to the
  Linux kernel, as well as a sysctl (/proc/sys/net/ipv4/tcp_ecn) which
  allows ECN support to be disabled at runtime.

  Note that, on the Internet, there are many broken firewalls which
  refuse connections from ECN-enabled machines, and it may be a while
  before these firewalls are fixed. Until then, to access a site behind
  such a firewall (some of which are major sites, at the time of this
  writing) you will have to disable this option, either by saying N now
  or by using the sysctl.

  If in doubt, say N.
						
But anyway...
 
I gladly used this setting as soon as I started with 2.4.. until I
noticed all of ibm.com and anoncvs.gnome.org seem to be behind 'broken'
routers -(....

Gordon Sadler


> Anyway...
> 
> Are there any other IPV4 settings that I should know about that increase system
> transfer efficientcy and security?
> 
> Would it be recomended to execute an IPTables script via the networking init script?
> 
> Stef
>

Reply to:

References:
- Changes to /etc/init.d/networking
  - From: Stefan Srdic <linuxbox@telusplanet.net>
- Re: Changes to /etc/init.d/networking
  - From: Daniel Stone <daniel@kabuki.openfridge.net>
- Re: Changes to /etc/init.d/networking
  - From: Stefan Srdic <linuxbox@telusplanet.net>
- Re: Changes to /etc/init.d/networking
  - From: Daniel Stone <daniel@kabuki.openfridge.net>
- Re: Changes to /etc/init.d/networking
  - From: Stefan Srdic <linuxbox@telusplanet.net>

Prev by Date: Re: Changes to /etc/init.d/networking
Next by Date: Re: Iptables logging
Previous by thread: Re: Changes to /etc/init.d/networking
Next by thread: Re: Changes to /etc/init.d/networking
Index(es):
- Date
- Thread