Re: squid + clamp-mss-to-pmtu

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Alistair Tonner <Alistair@nerdnet.ca>
To: netfilter@lists.netfilter.org
Subject: Re: squid + clamp-mss-to-pmtu
Date: Thu, 5 May 2005 06:32:38 -0400	[thread overview]
Message-ID: <200505050632.38221.Alistair@nerdnet.ca> (raw)
In-Reply-To: <1115219353.2802.11.camel@localhost.localdomain>

On May 4, 2005 11:09 am, jonathan wrote:
> Hi,
> I have a problem with squid and iptables.
> I have to use "TCPMSS --clamp-mss-to-pmtu" to adapt the mtu with the ISP
> requirement, but since I have installed the squid proxy, it seems like
> the iptables chains below doesn't work.

	I doubt that squid 'broke' iptables mss clamp.
>
> $iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN /
> -j TCPMSS --clamp-mss-to-pmtu
>
> $iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN /
> -j TCPMSS --clamp-mss-to-pmtu
>
> Some websites still are unaccessible.

	You are doing the clamp in both FORWARD and OUTPUT.  This is a good idea on 
systems that require this function.  However since we don't know the flow on 
your system we can't offer much in the way of advice.

	Please let us know the following:
	1) what is the basic layout of your network 
	2) where are the systems initiating the failed connections located on that 
network
	3) where is squid on that network?
	4) what are you doing to get connections to go through squid?
	5) what other rules are there?
	6) what are the tcp_ecn settings on the firewall (I'd suspect ecn before 
anything else since there are so many b0rken firewalls out there that don't 
understand it)
	7) what is meant by inaccessible? what functions of squid might affect this?

	8) Are you absolutely sure you checked to make sure tcp_ecn is off?
	   Completely?

	Alistair Tonner
	

>
> Is there a way to make it work?
>
> thanks

next prev parent reply	other threads:[~2005-05-05 10:32 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-05-04 15:09 squid + clamp-mss-to-pmtu jonathan
2005-05-05 10:32 ` Alistair Tonner [this message]
     [not found]   ` <1115656458.2899.40.camel@localhost.localdomain>
2005-05-10 21:12     ` Alistair Tonner
  -- strict thread matches above, loose matches on Subject: below --
2005-05-10 15:55 jonathan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200505050632.38221.Alistair@nerdnet.ca \
    --to=alistair@nerdnet.ca \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.