Re: [Fwbuilder-discussion] Clamp MSS to MTU
Brought to you by:
mikehorn
Menu
▾
▴
Re: [Fwbuilder-discussion] Clamp MSS to MTU
|
From: Nicole H. <nic...@gm...> - 2008-07-03 13:43:34
|
Thanks very much! Nicole Vadim Kurland ✎ schrieb: > > On Jul 3, 2008, at 6:19 AM, Nicole Hähnel wrote: > >> Ok, I activated Clamp MSS to MTU in fwbuilder. >> If I look into the compiled rules, i see: >> >> IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS >> --clamp-mss-to-pmtu >> >> This is not mangle table?! >> >> I'm running fwbuilder 2.1.19. >> > > hmm, I did not know they've changed it. Iptables 1.2.x did not require > this to be in the mangle table, but newer iptables seems to require > that. I'll fix it in fwbuilder3, meanwhile you can add this rule > manually in the "prolog" section. > > --vk > > >> Nicole >> >> >> Vadim Kurland ✎ schrieb: >>> >>> On Jul 3, 2008, at 4:31 AM, Nicole Hähnel wrote: >>> >>>> Hi, >>>> >>>> I have written that this does not work for us!? >>>> Strongswan makes it impossible to use the automatic generated rule. >>>> >>>> >>> >>> >>> if strongswan adds new rules with "iptables -I FORWARD 1", then these >>> rules go into the filter table and do not change order of rules in the >>> mangle table. On the other hand if strongswan adds any rules to the >>> mangle table using "-I", then of course order will change. I >>> downloaded strongswan 4.2.4 and inspected script updown that updates >>> iptables rules when vpn tunnel is established or disconnected. It does >>> not look like they do anything with mangle table, all rules they add >>> go into the filter table. >>> >>> --vk >>> >>> >>> >>>> Nicole >>>> >>>> >>>> Alexander Runge schrieb: >>>>> Right click on your firewall object -> Edit -> Firewall Settings >>>>> check: CLAMP MSS to MTU >>>>> >>>>> >>>>> Hth, Alex! >>>>> >>>>> On Tuesday 01 July 2008 11:02:22 Nicole Hähnel wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I have to add this rule in fwbuilder: >>>>>> iptables -t mangle -A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST >>>>>> SYN >>>>>> -j TCPMSS --clamp-mss-to-pmtu >>>>>> >>>>>> How can I add this? >>>>>> >>>>>> Activation Clamp MSS to MTU in firewall settings does not work >>>>>> for us. >>>>>> >>>>>> We are running strongswan vpn on our servers, and strongswan adds >>>>>> for >>>>>> each vpn tunnel >>>>>> a new rule with "iptables -I FORWARD 1", so every new rule pushes >>>>>> the >>>>>> ClampMSS rule down, >>>>>> but this rule has to be on top. >>>>>> >>>>>> Thanks! >>>>>> Nicole >>>>>> >>>>>> ------------------------------------------------------------------------- >>>>>> >>>>>> >>>>>> Check out the new SourceForge.net Marketplace. >>>>>> It's the best place to buy or sell services for >>>>>> just about anything Open Source. >>>>>> http://sourceforge.net/services/buy/index.php >>>>>> _______________________________________________ >>>>>> Fwbuilder-discussion mailing list >>>>>> Fwb...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion >>>>>> >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------- >>>>> >>>>> >>>>> Check out the new SourceForge.net Marketplace. >>>>> It's the best place to buy or sell services for >>>>> just about anything Open Source. >>>>> http://sourceforge.net/services/buy/index.php >>>>> _______________________________________________ >>>>> Fwbuilder-discussion mailing list >>>>> Fwb...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion >>>>> >>>>> >>>> >>>> >>>> ------------------------------------------------------------------------- >>>> >>>> >>>> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! >>>> Studies have shown that voting for your favorite open source project, >>>> along with a healthy diet, reduces your potential for chronic lameness >>>> and boredom. Vote Now at http://www.sourceforge.net/community/cca08 >>>> _______________________________________________ >>>> Fwbuilder-discussion mailing list >>>> Fwb...@li... >>>> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion >>>> >>> >> >> >> ------------------------------------------------------------------------- >> >> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! >> Studies have shown that voting for your favorite open source project, >> along with a healthy diet, reduces your potential for chronic lameness >> and boredom. Vote Now at http://www.sourceforge.net/community/cca08 >> _______________________________________________ >> Fwbuilder-discussion mailing list >> Fwb...@li... >> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion > |
