• Home
  • Personal
  • Tech
  • Politics
  • Photography

  • TCP, NAT and 2MSL mismatch

    March 8th, 2006

    We have a client that connects over the NHS internal network to a server hosted at our site. We have lots of clients like this, but these are slightly different because they NAT all their machines to one IP before it gets to us.

    Recently they complained about connection problems and after lots of investigation we managed to get a packet capture of the problem (IPs changed of course):

     1  0.00 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [SYN]
 2  0.00 10.0.0.254 -> 192.168.0.1 TCP 80 > 2268 [SYN, ACK]
 3  0.01 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [ACK]
 4  0.08 192.168.0.1 -> 10.0.0.254 HTTP POST
 5  0.24 10.0.0.254 -> 192.168.0.1 TCP 80 > 2268 [ACK]
 6  0.23 192.168.0.1 -> 10.0.0.254 HTTP Continuation
 7  0.24 10.0.0.254 -> 192.168.0.1 HTTP HTTP/1.1 200 OK 1365
 8  0.24 10.0.0.254 -> 192.168.0.1 HTTP Continuation
 9  0.24 10.0.0.254 -> 192.168.0.1 TCP 80 > 2268 [FIN, ACK]
10  0.29 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [ACK]
11  0.31 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [FIN, ACK]
12  0.31 10.0.0.254 -> 192.168.0.1 TCP 80 > 2268 [ACK]
13  0.34 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [ACK]
14 68.26 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [SYN]
15 71.18 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [SYN]
16 77.13 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [SYN]
17 98.25 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [RST, CWR]


    Read the rest of this entry »

    Tags: cisco, NAT, network, networking, tcp, tcpip, troubleshooting

    Posted in Networks and Firewalls, Tech | No Comments »

  • netfilter ip_conntrack_ftp and tls

    December 7th, 2005

    Here I am attempting to connect to a server using lftp wondering why the firewall is blocking the incoming data connections, even though ip_conntrack_ftp has been working for years.

    lftp supports tls, and so does the server I’m connecting to. This means the control connection is encrypted, so the netfilter ftp connection tracker can’t peek inside the packets to find out which ports to open up to allow the data connections. DUH. Ftp sucks.

    Anyway, the only way I found to disable tls support in lftp is to add the following line to ~/.lftp/rc:

    set ftp:ssl-allow false
    Tags: conntrack, firewall, ftp, lftp, linux, netfilter, tcp, tls

    Posted in Networks and Firewalls, Tech | 2 Comments »

  • 2.6.7-8 default window scaling settings

    September 4th, 2004

    My new Fedora installation was playing up with certain web sites resulting in *very* slow download (I could see the words drawing on my screen one by one). A ethereal dump showed a nice big window size, but max 120 byte packets and an ack for each one!

    Well it turns out since about kernel 2.6.7, the default tcp_window_scale setting has been 7. The problem is, as was with ECN, there are lots of broken routers out there which break window scaling (they strip the TCP options, which is totally against RFC, and common sense). So the other end doesn’t know you’re scaling, so it’ll think you set (or you think it set) a tiny ikle window size.

    Anyway I fixed it for now with a ‘net.ipv4.tcp_default_win_scale = 0′ in my /etc/sysctl.conf, but there is a new kernel patch floating around which seems to be a bit cleverer and will be due in the next kernel.

    Tags: ethereal, fedora, linux, tcp

    Posted in Tech | No Comments »

  • John Leach

    • John Leach is a human being living in Leeds, UK.

  • Twitter

    • John is finally sitting down to watch Terminator 2 after @louisa_ insisted we watch 1 first. She, of course, was right to insist. 5 hrs ago
    • More twitter updates →

  • Author Stuff

    • Brightbox Rails Hosting
    • Compost This
    • ELER Web Comic
    • New World Odour
    • News Sniffer
    • Photography
    • Profile and History
    • Recycle This
    • The Gillroyd Parade
    • Things to do today
    • Website

  • Friends

    • Caius Durling
    • Deb Bassett
    • Gianni Tedesco
    • Ian Higgins
    • Louisa Parry
    • Rahoul Baruah
    • Sleepy Kev
    • Tim Waters
    • Tom Hall

  • Stuff

    • ifup
    • Media Lens
    • Mia Bambina
    • News from nowhere

  • Meta

    • Log in
    • Entries RSS
    • Comments RSS

  • Search

Creative Commons License The text of this blog is licensed under the Creative Commons BY-ND license