I have set up vuurmuur on my internet gateway machine and things are running great for the most part. I have port-forwarding enabled for bittorrent, emule, et. However, I seem to be having difficulties connecting to MSN ever since installing vuurmuur. I have my rules setup so that any connections are accepted from the local.lan to the world.inet, since I am not concerned with restricting outgoing connections from my local netowrk. I do not have any port-forwarding setup for MSN, but MSN was working previously with Shorewall firewall without any port-forwarding either. I think the vuurmuur interface is really awesome, so I would really really prefer to stick with vuurmuur and try to track down what the issue might be.
Behaviour: try to connect to MSN, connection icon spins for a long time, then error prompt comes up saying it couldn't connect
Going through the connection tests in the troubleshooting tools of the MSN Live Messenger client, it says that all is good - correct outgoing ports are accessible and so on. It should also be noted that I AM able to connect through gaim on my linux desktop, and Adium on a Mac. It seems to be that only MSN Live Messenger on windows is being affected.
Any help would be greatly appreciated!
-Christian
PS - I previously had trouble with MSN a LONG time ago and remember having to change an MTU network setting. Is there any chance that this would have been altered by vuurmuur and might have anything to do with it?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
It turns out my 'PS' suspicion was correct. I guess it's been a while since I changed that setting and forgot that it was in the shorewall firewall configuration, and not in my pppoe configuration... Anyways, here is a link to a page describing the problem in general:
Perhaps I am just not looking in the correct place, but I was not able to find a spot in Vuurmuur to change the MTU setting, or invoke the following recommended iptables command:
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
For now, I am just running that command manually and things are working fine, connecting to MSN and all. Is there currently a way to perform this command through vuurmuur? If not, would it be difficult to add this functionality? It would be greatly appreciated :) It would also help to alleviate frustration for other users with the same setup, I'm sure!
Just to recap, the problem was related to the gateway setup of:
-pppoe DSL connection
-internet gateway connected to DSL modem
-MTU was set too high, extra bytes required for PPP header in packet so cannot handle big enough packets for some programs (e.g., MSN Live Messenger)
Cheers,
Christian
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Currently there is no way to add this in Vuurmuur itself. I agree there should be a way. If you want you can open up a feature request on the trac with as much info on it as possible. For now you could add it to the PRE-VRMR-FORWARD chain, which will not be overwritten by Vuurmuur reloads. It won't survive reboots though, so you have to make sure it gets loaded on boot.
Thanks for the report!
Victor
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello,
I have set up vuurmuur on my internet gateway machine and things are running great for the most part. I have port-forwarding enabled for bittorrent, emule, et. However, I seem to be having difficulties connecting to MSN ever since installing vuurmuur. I have my rules setup so that any connections are accepted from the local.lan to the world.inet, since I am not concerned with restricting outgoing connections from my local netowrk. I do not have any port-forwarding setup for MSN, but MSN was working previously with Shorewall firewall without any port-forwarding either. I think the vuurmuur interface is really awesome, so I would really really prefer to stick with vuurmuur and try to track down what the issue might be.
Behaviour: try to connect to MSN, connection icon spins for a long time, then error prompt comes up saying it couldn't connect
Going through the connection tests in the troubleshooting tools of the MSN Live Messenger client, it says that all is good - correct outgoing ports are accessible and so on. It should also be noted that I AM able to connect through gaim on my linux desktop, and Adium on a Mac. It seems to be that only MSN Live Messenger on windows is being affected.
Any help would be greatly appreciated!
-Christian
PS - I previously had trouble with MSN a LONG time ago and remember having to change an MTU network setting. Is there any chance that this would have been altered by vuurmuur and might have anything to do with it?
It turns out my 'PS' suspicion was correct. I guess it's been a while since I changed that setting and forgot that it was in the shorewall firewall configuration, and not in my pppoe configuration... Anyways, here is a link to a page describing the problem in general:
http://www.linux.com/base/ldp/howto/IP-Masquerade-HOWTO/mtu-issues.html
Perhaps I am just not looking in the correct place, but I was not able to find a spot in Vuurmuur to change the MTU setting, or invoke the following recommended iptables command:
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
For now, I am just running that command manually and things are working fine, connecting to MSN and all. Is there currently a way to perform this command through vuurmuur? If not, would it be difficult to add this functionality? It would be greatly appreciated :) It would also help to alleviate frustration for other users with the same setup, I'm sure!
Just to recap, the problem was related to the gateway setup of:
-pppoe DSL connection
-internet gateway connected to DSL modem
-MTU was set too high, extra bytes required for PPP header in packet so cannot handle big enough packets for some programs (e.g., MSN Live Messenger)
Cheers,
Christian
Currently there is no way to add this in Vuurmuur itself. I agree there should be a way. If you want you can open up a feature request on the trac with as much info on it as possible. For now you could add it to the PRE-VRMR-FORWARD chain, which will not be overwritten by Vuurmuur reloads. It won't survive reboots though, so you have to make sure it gets loaded on boot.
Thanks for the report!
Victor