[UCIMC-Tech] Re: Google via IMC wired ethernet [was: bikeproject computer]

Barry Isralewitz barryi at ks.uiuc.edu
Fri Sep 5 16:13:38 CDT 2008 

Hi Josh,

  How goes the UCIMC firewall alterations?  Do you know about when
the'll be done, and we'll have access to Google sites? I saw the same
"everything works except Google" problem with my Mac OS 10.4 laptop
using the UCIMC wireless network, in Room 24 last night.  I don't see
this problem anywhere else  with my laptop..

Details:
  Just like with the Bike Project BSD machine,
every site worked except for Google sites, and sites that halted waiting
for googlesyndication.com and Google metrics.
  
  My laptop has been on scores (hundreds?) of wireless networks, UCIMC
is the only place where I've seen "everything works except Google".
Since this is a public wireless network, it should probably work with
standard configuration machines.

  As I might have told you earlier, Bike Project  is relying incresingly
on an external wiki which uses googlesyndication, so works everyhwere
except in Bike Project (using local Mediawiki would be better, yes), and
have lots of call to access Google mail and Google docs.  
  

  
                  Cheers,

                  Barry

On Tue, Sep 02, 2008 at 03:36:20PM -0500, Barry Isralewitz wrote:
> Hi Josh,
> 
> 
> On Wed, Aug 06, 2008 at 10:38:34AM -0500, Josh King wrote:
> > Hey Barry,
> > 
> > Oh, it is most definitely a problem with the firewall. The thing is,
> > it's not something that can be fixed without overhauling the operating
> > system on the firewall. The whole thing is actually symptomatic of an
> > obscure bug in the way that OpenBSD (which is on the firewall) and Linux
> > (and apparently FreeBSD, judging from your computer), interact when
> > managing TCP/IP streams.
> 
>   Okay, I will try and get Ubuntu installed on the Bike Project machine
> shortly -- I've been meaning to do this for a while for unreleated
> reasons.
> 
>   After I install the Ubuntu machine, will I have to make any changes to
> allow it to work with the wired building network?  Are there any recent
> firewall changes that happened at end of August 2008 (last few days)
> that I should know about?
> 
>  Observations: 
>   I last week witnessed Ubuntu machines in IMC (one upstairs in the
> Production Room) reach Google without trouble.  On the other hand, I do
> see non-BSD machines in basement ('computer lab' Ubuntu, laptops connecting over
> basement wireless)  having trouble reaching Google / not reaching Google
> at all..  Bike Project machine still not reaching Google, when I last
> checked on Friday, Aug. 29.
> 
> 
>           Cheers,
> 
>           Barry
>  
> > The thing is, it's a super-easy fix on a linux
> > system to get it to work right with our firewall (adding
> > net.ipv4.tcp_window_scaling = 0 to the /etc/sysctl.conf file) but a
> > super-hard one to fix on the firewall itself. All the workstations and
> > public access terminals in the building already have that fix set up,
> > and the problem doesn't even seem to effect most computers. I've just
> > never had to fix the problem on a FreeBSD box before, so I'm still
> > trying to ascertain the correct sysctl.conf directive
> > (net.inet.tcp.rfc1323 = 0 is the correct fix from everything I've read).
> > We plan on completely overhauling the firewall; it's just that up to
> > this point it would mean a significant amount of downtime for the whole
> > building while the firewall's operating system is replaced and
> > recompiled. We only recently managed to afford the hardware for
> > outfitting a secondary firewall box; once we set that up, when OJC moves
> > out (freeing up the wattage in the server room, since we can't even
> > squeeze one more box in there on the current circuit) we'll stick the
> > second firewall in, bridge the connections across, then take out the
> > first firewall for recompiling, thus minimizing downtime. I'm still
> > trying to implement a fix, but at worst everything will work when we
> > overhaul the network at the end of the month.
> > 
> > Barry Isralewitz wrote:
> > > On Fri, Aug 01, 2008 at 08:57:32PM -0500, Josh King wrote:
> > > 
> > >> Hey Barry,
> > >>
> > >> Damn. I'm pretty certain that the thing I'm trying to fix (the size of
> > >> the TCP packet frames) is the problem, since as it turns out the
> > >> computer in the library has developed the same issue where it can't
> > >> reach google, and the TCP frames is a familiar bugfix which eliminated
> > >> the problem on the library computer. However, I've never had to
> > >> implement that fix before on a FreeBSD computer. It may be that I have
> > >> the option wrong. I'll look into it a little more and get back to you,
> > >> sorry about that.
> > > 
> > >   Thanks much for the work on this.
> > > 
> > >   Any chance this is a problem with a router setting in the building, and not
> > > the FreeBSD machine?  Quick test (which I wish I'd done the last time I was in
> > > the IMC): unplug the RJ-45 from Bike Project machine (temporarily),
> > > so you can plug it in a known-good laptop.  If the laptop behaves the same way
> > > as the Bike Project FeeBSD machine, (i.e. can reach everything except google),
> > > might help figure out where the problem is.  Apologies if you've already
> > > thought of this ...
> > > 
> > >   
> > >                       Cheers,
> > > 
> > >                       Barry 
> > > 
> > >> Barry Isralewitz wrote:
> > >>> Hi,
> > >>>
> > >>> On Fri, Aug 01, 2008 at 01:32:25PM -0500, Josh King wrote:
> > >>>> Hey Barry,
> > >>>>
> > >>>> I forgot that your computer doesn't have sudo installed, so my account
> > >>>> on there doesn't have administrative access. In any event, I believe
> > >>>> that the fix is to add the line:
> > >>>>
> > >>>> net.inet.tcp.rfc1323 = 0
> > >>>>
> > >>>> to the end of the file /etc/sysctl.conf, and either restart the computer
> > >>>> or run the command (as root) sysctl -f /etc/sysctl.conf
> > >>>>
> > >>>> If that works, then you can remove my account (`pw userdel jking` should
> > >>>> work) and shut off sshd (change enable_sshd="YES" to enable_sshd="NO" in
> > >>>> /etc/rc.conf, and run /etc/rc.d/sshd stop). Let me know whether this is
> > >>>> successful.
> > >>>> -- 
> > >>>> Josh King
> > >>>  Thanks!
> > >>>
> > >>>  I added above net.inet line and rebooted, but did not seem to help much...
> > >>>
> > >>>
> > >>>             Cheers,
> > >>>
> > >>>             Barry
> > >>>> --
> > >>>> josh at ucimc.org
> > >>>> --
> > >>>> System Administrator, Chambana.net (http://www.chambana.net)
> > >>>> --
> > >>>> "I am an Anarchist not because I believe Anarchism is the final goal,
> > >>>> but because there is no such thing as a final goal." -Rudolf Rocker
> > >>>>
> > >>>>
> > >>>
> > >>>
> > >> -- 
> > >> Josh King
> > >> --
> > >> josh at ucimc.org
> > >> --
> > >> System Administrator, Chambana.net (http://www.chambana.net)
> > >> --
> > >> "I am an Anarchist not because I believe Anarchism is the final goal,
> > >> but because there is no such thing as a final goal." -Rudolf Rocker
> > >>
> > >>
> > > 
> > > 
> > > 
> > 
> > -- 
> > Josh King
> > --
> > josh at ucimc.org
> > --
> > System Administrator, Chambana.net (http://www.chambana.net)
> > --
> > "I am an Anarchist not because I believe Anarchism is the final goal,
> > but because there is no such thing as a final goal." -Rudolf Rocker
> > 
> > 
> 
> 
> 
> -- 
> Barry Isralewitz, Ph. D.
> Theoretical and Computational Biophysics Group,
> University of Illinois at Urbana-Champaign 
> Beckman 3043   Phone: (217) 244-1612   Home Phone: (217) 337-6364
> email: barryi at ks.uiuc.edu      http://www.ks.uiuc.edu/~barryi

-- 
Barry Isralewitz, Ph. D.
Theoretical and Computational Biophysics Group,
University of Illinois at Urbana-Champaign 
Beckman 3043   Phone: (217) 244-1612   Home Phone: (217) 337-6364
email: barryi at ks.uiuc.edu      http://www.ks.uiuc.edu/~barryi

More information about the IMC-Tech mailing list