From: Greg Stewart (stewartg@worldspy.net)
Date: Fri Jun 02 2000 - 14:22:30 PDT
It sounds like it might be a client configuration problem...
What OS is on the remote clients? What Browser?
If Linux, maybe the clients don't have the 128bit enabled Netscape...
If Win 9x, they may need 128bit enabled IE5 or Netscape, if NT4
they'll need the 128bit version of Service Pack 5 or higher.
Does this help?
----- Original Message -----
From: <stnick@aquinascafe.org>
To: <pmfirewall@pointman.org>
Sent: Friday, June 02, 2000 4:12 PM
Subject: [pmfirewall] 128-bit encrypted sites don't work on remote subnets?
> PmFirewallers-
>
> Ok, here is a wierd one. I don't think it is related to pmfirewall per
> se, but might be related to ipchains/ipmasq in general, so thought you
> experts might have an idea about it.... The general problem is that I
> can't get some machines to access certain internet web pages- they seem
> to be ones that use 128 bit encryption and/or https (ie. port 443).
>
> I have a box working as a internet DSL line masquerade server for a
> local subnet and several remote subnets networked via routers. I don't
> administrate the routers or have any control over them, so let's assume
> for a moment that they are not the problem. So, here is the config....
>
>
>
> --209. 142.xxx.xxx
> [Internet]----DSL-Line/Modem----/ Linux Masq Server ---Hub------local
> subnet
>
> 192.168.140.200---/ | 192.168.140.x
>
> |
>
> |
>
> router
>
> 192.168.140.254
>
> / | \
>
> / | \
>
> / | \
>
> remote remote remote
>
> 192.168.141.x 192.168.142.x 192.168.143.x
>
>
> Okay, so to get the packets flowing amongst the subnets properly from
> the linux masq server I do:
>
> route add -net 192.168.140.0 netmask 255.255.255.0 gw 192.169.140.254
> route add -net 192.168.141.0 netmask 255.255.255.0 gw 192.169.140.254
> route add -net 192.168.142.0 netmask 255.255.255.0 gw 192.169.140.254
> route add -net 192.168.143.0 netmask 255.255.255.0 gw 192.169.140.254
>
>
> And to get masq'ing to work I do (after loading all available masq
> modules, of course):
>
> /sbin/ipchains -A forward -j MASQ \
> -s 192.168.140.0/24 -d 0.0.0.0/0
> /sbin/ipchains -A forward -j MASQ \
> -s 192.168.141.0/24 -d 0.0.0.0/0
> /sbin/ipchains -A forward -j MASQ \
> -s 192.168.142.0/24 -d 0.0.0.0/0
> /sbin/ipchains -A forward -j MASQ \
> -s 192.168.143.0/24 -d 0.0.0.0/0
>
> pmfirewall also gets fired up, but it is not the problem because I have
> tested it without pmfirewall running and still get the problem.
>
> Specifically, the problem is this: any machine on the masq server's
> local net (192.168.140.x) can access this page (for instance):
> https://bsdnet.officedepot.com , but no machine on any remote subnet
> (eg. 192.168.141.x) can access it. When the remote subnets try to
> access it, the dns lookup is successful, the contact packet is sent, and
> then nothing, the web browser hangs and hangs and never gets a return
> packet from the website. The remote subnets can access "normal" web
> pages, and other services (AIM, for instance) without any problem.
>
> Ideas?
>
> -Patrick
>
>
****************************************************************************
> * To UNSUBSCRIBE from the list, send a message with "unsubscribe
pmfirewall"
> * in the message body to majordomo@pointman.org. Please direct other
> * questions, comments, or problems to pmfirewall-owner@pointman.org.
> *
> * Need answers fast? Check the list archive located at:
> * http://www.pointman.org/PMFirewall/list-archive/
> *
>
****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
* in the message body to majordomo@pointman.org. Please direct other
* questions, comments, or problems to pmfirewall-owner@pointman.org.
*
* Need answers fast? Check the list archive located at:
* http://www.pointman.org/PMFirewall/list-archive/
*
This archive was generated by hypermail 2b29 : Sun Jun 10 2001 - 02:35:02 PDT