On 27 Sep 2002, John Hawley wrote: > Did something change in the kernel between 2.4.17 and 18 concerning > ICMP fragmentation? I've been noticing (and getting complaints from > local users) that some web sites are unaccessable. Sounds like the > problem of some ISP's / routers not allowing ICMP fragmentation > packets. I checked some of my firewalls and the problem appears to > show up on kernels 2.4.18 and higher. > > Anyway, the work around according to kernel documentation is to add > this line to the iptables rule set: > > iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ > -j TCPMSS --clamp-mss-to-pmtu > > This does appear to work for clients behind the firewall going to the > Net. However, this does not fix the problem for the fw box itself. > > Anyone else run into this and find a fix? got tcp ecn enabled? cat /proc/sys/net/ipv4/tcp_ecn if it's 1, set it to 0. read the kernel docs for reasons why.. -- Nate Carlson <natecars at real-time.com> | Phone : (952)943-8700 http://www.real-time.com | Fax : (952)943-8500