Re: browser problem from inside firewall
On 4 Jul 2005, email@example.com wrote:
> I have just (well yesterday) changed by firewall from an aging RedHat
> system to Debian. Most things seem OK (couple of minor spamassassin
> problems) but there is one MAJOR problem that I do not understand.
> The simplest form is when a user inside the firewall attempts to
> upload a photo to flickr.com it just hangs and eventually times out.
> If the same thing is done from the firewall itself it works
> instantly. I deduce that something in Debian is being very cautious,
> but I do not know what. The iptables I have as the same as on
> previous system, and it used to work.
At a guess, you lost the "MTU clamping" fix for the "path MTU blackhole"
on the ADSL line servicing the business. This is probably because it
was done in the PPPoE client, not the iptables firewall itself.
Have a look at the TCPMSS target, and the clamp MTU to MSS, or whatever
it is, option, which resolves this in iptables.
We live in a hallucination of our own devising.
-- Alan Kay