1

I have a Ubuntu 14 based firewall running IP tables configured through FWBuilder. If I ssh onto the firewall and run

openssl s_client -connect 176.34.155.20:443

I get a full set of responses

CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
 verify error:num=20:unable to get local issuer certificate
 verify return:0
---
Certificate chain
0 s:/C=US/ST=Pennsylvania/L=Paoli/O=Duck Duck Go,
 Inc./CN=*.duckduckgo.com

etc (there's lots more returned) but if I try it on a client (either a Mac OS X 10.10.5 client or a Linux Raspbrian 7 client), accessing the network through the firewall all I get back is

CONNECTED(00000003)

And nothing else.

Now it isn't all sites. https://www.google.co.uk works on the client as well as the firewall but clearly https://www.duckduckgo.com doesn't so it is something to do with the TLS that these sites are using. I also have the same issue to some IMAP over SSL/TLS hosts but not all... It did work until a recent network outage required a firewall reboot but not now.

I cannot fathom out why I don't get a response and neither can the SAs sat around me come up with any solutions. Any ideas?

rolandw
  • 11
  • 3
  • could you add the output of `sudo iptables -L -n` to your question? – chicks Sep 28 '15 at 15:30
  • I could attach the iptables info but a little further digging has revealed that it is something to do with MTU. I have an MTU on the outbound interface of 1492 but 1500 on the clients' interface. Therefore some SSL comms are losing those 8 bits. By changing the MTU of the clients' interface to 1492 ('sudo ifconfig eth0 mtu 1492`) all seems to work so now I'm trying to set the MTU of clients' interfaces to 1492 via DHCP or throttling the switch to only provide an MTU of 1492. Will post when I've tried these... – rolandw Sep 28 '15 at 17:13
  • You are losing most of the capable to write an answer people on "...configured through FWBuilder", I guess. Instead of using automagical tools and ask for help you could at least try to write rule list by yourself. – drookie Sep 28 '15 at 18:02
  • 1
    try to turn on option "Clamp MSS to MTU" in fwbuilder (its in the Firewall Settings dialog). This will make generated firewall configuration execute the following iptables command: `$IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu`. With this in place, you should not need to update MTU on all of your clients behind the firewall – vadimk Sep 29 '15 at 20:22
  • Thanks @vadimk :) For Shorewall I had to change option `CLAMPMSS` to "Yes". This does what you suggested, and is "No" by default. – Adambean Jun 11 '19 at 17:29

0 Answers0