Date: Tue, 10 May 2005 00:50:58 +0200 From: Emanuel Strobl <Emanuel.strobl@gmx.net> To: freebsd-questions@freebsd.org Cc: Frank de Bot <ppi@searchy.net> Subject: Re: ipfw + natd => some sites won't work :-S Message-ID: <200505100051.08155@harrymail> In-Reply-To: <427FE73C.5080408@searchy.net> References: <427FE73C.5080408@searchy.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart7716950.x3XhBnUN8b Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Am Dienstag, 10. Mai 2005 00:42 schrieb Frank de Bot: > Hi, > > I got my FreeBSD set up to do nat, but it doesn't work 100%. Sites like > Google for instance does work, but many other don't. All other protocols I guess you're using an A-DSL line with PPPoE, right? If so, see tcp-mss fix. PPPoE consumes 8 bytes of your MTU so also the=20 maximum segment sice of TCP sessions is reduced by 8 bytes which doesn't=20 know the machine behind the NAT box. Your NAT box has to alter the mss=20 field in the TCP header because many sites have wrong configured firewalls= =20 which simply block all ICMP traffic, so the error from your router "must=20 fragment" never reaches to originating host. So the sent packaet is too=20 big to go over your line and the "Must Fragment" bit is ingnored... you'll= =20 never receive what you've requested. I'm not familar with IPFW, perhaps NATD can take care of MSS, PF does with= =20 "max-mss". =2DHarry > seems to be working properly. But why are sites failing to do anything? > I got running natd with the verbose option and successfull request of > google is indentical to a random other site :S > The firewall I use is rather big. the most important piece is: > > 01200 723 652298 divert 8668 ip from any to 82.94.238.70 via fxp0 > 01200 521 85279 divert 8668 ip from 10.0.5.0/24 to any > 01200 0 0 allow ip from any to 10.0.5.0/24 > 01201 524 85399 allow ip from 82.94.238.70 to any > 01201 3 144 allow ip from any to 82.94.238.70 > 01500 871494 216106437 allow tcp from any to any established > > > /etc/natd.conf is: > > alias_address %external_ip% > verbose > > > It just puzzles me why only some http request would fail and everything > works fine! > Anyone got any idea? > > > Thanks in advanced, > > Frank de Bot > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" --nextPart7716950.x3XhBnUN8b Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCf+lcBylq0S4AzzwRAqR+AKCIS4asQfv0NUhctnqEH3OVxDOEqQCgkV50 PL42OSYQwL8xjEEnpV0RmeI= =ItsA -----END PGP SIGNATURE----- --nextPart7716950.x3XhBnUN8b--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200505100051.08155>