gabriel rosenkoetter on Tue, 9 Apr 2002 13:15:57 -0400


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Inability to download through firewall machine, but can browse


On Tue, Apr 09, 2002 at 12:39:46PM -0400, Gregson Helledy wrote:
> This occurs with http transfers initiated from the browser, and
> also from an ftp client.  (A gnutella client works fine, though.)

Those are three drastically different protocols. (The fact that they
all get files onto you computer has nothing to do with it.)

If web browsing works but transfering large files does not, there's
something broken about your firewall set up (that is, it's losing
state over time, perhaps). Check your firewall software's log files.

If downloading via ftp doesn't work, you're not running an ftp
proxy. (That's okay, they don't work right have the time anyway.)
Put your ftp client in passive mode and you'll be fine.

> The most annoying thing is that I seem to be
> able to download from some sites without problem, from others I can
> eventually succeed if I re-initiate the transfer many times, and with some I
> have no luck at all.

Weird. What do your logs say?

> For example, I can download this .pdf file from my employer's web page
> without problem:
> http://www.gra-inc.com/Airlines.PDF
> 
> While if I want do download a windows bzflag client, either the transfer
> never starts, or I get approx 1K of data and the download stalls:
> http://prdownloads.sourceforge.net/bzflag/bzflag17e2.exe

Hrm. Plausibly, you're having trouble with sites that do round-robin
DNS or, more likely, ICMP redirects. You need to allow several kinds of
ICMP traffic to pass freely through your firewall in order for it to
actually be an RFC-compliant gateway: ICMP unreachable, ICMP
redirect, and ICMP don't fragment. Your firewall software's
documentation should say how to do this.

> I don't know whether this is related, but I've installed samba on the
> firewall machine with the hope of using it for file and printer sharing.
> When I sit at the firewall machine to use swat:
> 
> lynx http://localhost:901
> 
> I initially get an "access denied" message from lynx, but then I wait a few
> seconds, the issue resolves itself, and I'm looking at the swat page.  My
> gut tells me that this may be related, but I'm not sure what terms to search
> for in the samba docs.

What makes you think that this has anything to do with contacting
the outside world from inside your firewall?

If you're on the firewall machine and you point lynx at localhost,
it's going to 127.0.0.1 which is almost definitely treated in a
drastically different manner than other addresses. (If it's not, it
should be or a lot of things will break.)

-- 
gabriel rosenkoetter
gr@eclipsed.net

Attachment: pgpV7YXTJ5ugJ.pgp
Description: PGP signature