Hi shorewall-users Looking further at this it seems to be related to differing MSS values for the ppp0, eth3 physical interfaces, and also the virtual interface of the webserver in the DMZ.
tcpdump files at the webserver and firewall interfaces show that the packets are being split into smaller pieces going out the firewall, and that retransmissions are triggered by webserver packets with big payloads. I suppose that this can be tuned via the MTU of the effected interfaces or by the MSS parameter of the shorewall configuration. What are the recommended best practices in this situation? Links to relevant tcpdump files: https://drive.google.com/file/d/0B-r0kOumKPg2TUJCZ1cxdS1zbms/view?usp=sharing https://drive.google.com/file/d/0B-r0kOumKPg2M0s3cnN0Z3dDNUU/view?usp=sharing Thanks jCandlish . ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://makebettercode.com/inteldaal-eval _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
