On 03/07/2016 09:47 AM, John Candlish wrote: > On Mon, Mar 7, 2016 at 6:34 PM, Tom Eastep <teas...@shorewall.net> wrote: >> Have you set CLAMPMSS=Yes? > > > Yes. > > Could the problem be related to the net_dnat chain? > > Chain net_dnat (2 references) > pkts bytes target prot opt in out source > destination > 0 0 DNAT tcp -- eth3 * 0.0.0.0/0 > 81.63.145.193 multiport dports 80,443,8080 to:81.63.145.197 > 994 55601 DNAT tcp -- eth3 * 0.0.0.0/0 > 5.145.19.28 multiport dports 80,443,8080 to:81.63.145.197 >
No. > The interface serving destination 81.63.145.193 has a 1492 MTU and > the other a 1500 MTU. > > Is there a easy way to better constrain the DNAT rule such that the > entry for destination 81.63.145.193 is not generated? > DNAT net:eth3 dmz:81.63.145.197 tcp 80,443,8080 > > The eth3 interface gets its address via DHCP but will always fall > within the 5.145.19.28/19 range. > You are apparently specifying that IP address in the ORIGINAL_DEST column. If you simply leave that column blank or with value '-', the destination will not be restricted. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://makebettercode.com/inteldaal-eval
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
