[UCIMC-Tech] Re: Google via IMC wired ethernet [was:
bikeproject computer]
Stuart Levy
slevy at ncsa.uiuc.edu
Thu Sep 25 14:04:33 CDT 2008
On Fri, Sep 05, 2008 at 04:13:38PM -0500, Barry Isralewitz wrote:
> Hi Josh,
>
> How goes the UCIMC firewall alterations? Do you know about when
> the'll be done, and we'll have access to Google sites? I saw the same
> "everything works except Google" problem with my Mac OS 10.4 laptop
> using the UCIMC wireless network, in Room 24 last night. I don't see
> this problem anywhere else with my laptop..
After Dave Young's explanation and a little digging,
here's a possible workaround for disabling TCP window scaling on a Mac:
(in a Terminal window)
sudo /usr/sbin/sysctl -w net.inet.tcp.rfc1323=0
Note no spaces around the "=" sign.
The sudo command will prompt for your password and run the sysctl
command as root. I haven't been able to test this yet but it may work.
The above recipe is MacOS X-specific.
It will revert to the old behavior each time you reboot the Mac,
so you'll need to keep doing this.
On Linux, the corresponding trick would be
sudo /sbin/sysctl -w net.ipv4.tcp_window_scaling=0
This too will revert on each reboot. On at least some linux flavors,
you can add an entry to the text file "/etc/sysctl.conf" reading
net.ipv4.tcp_window_scaling = 0
to reinstall on each reboot.
I don't know the corresponding Windows recipe -- it might be OK by default
on XP, but if Vista enables window scaling by default then I'm not sure
how to disable it.
> Details:
> Just like with the Bike Project BSD machine,
> every site worked except for Google sites, and sites that halted waiting
> for googlesyndication.com and Google metrics.
>
> My laptop has been on scores (hundreds?) of wireless networks, UCIMC
> is the only place where I've seen "everything works except Google".
> Since this is a public wireless network, it should probably work with
> standard configuration machines.
>
> As I might have told you earlier, Bike Project is relying incresingly
> on an external wiki which uses googlesyndication, so works everyhwere
> except in Bike Project (using local Mediawiki would be better, yes), and
> have lots of call to access Google mail and Google docs.
>
>
>
> Cheers,
>
> Barry
>
> On Tue, Sep 02, 2008 at 03:36:20PM -0500, Barry Isralewitz wrote:
> > Hi Josh,
> >
> >
> > On Wed, Aug 06, 2008 at 10:38:34AM -0500, Josh King wrote:
> > > Hey Barry,
> > >
> > > Oh, it is most definitely a problem with the firewall. The thing is,
> > > it's not something that can be fixed without overhauling the operating
> > > system on the firewall. The whole thing is actually symptomatic of an
> > > obscure bug in the way that OpenBSD (which is on the firewall) and Linux
> > > (and apparently FreeBSD, judging from your computer), interact when
> > > managing TCP/IP streams.
> >
> > Okay, I will try and get Ubuntu installed on the Bike Project machine
> > shortly -- I've been meaning to do this for a while for unreleated
> > reasons.
> >
> > After I install the Ubuntu machine, will I have to make any changes to
> > allow it to work with the wired building network? Are there any recent
> > firewall changes that happened at end of August 2008 (last few days)
> > that I should know about?
> >
> > Observations:
> > I last week witnessed Ubuntu machines in IMC (one upstairs in the
> > Production Room) reach Google without trouble. On the other hand, I do
> > see non-BSD machines in basement ('computer lab' Ubuntu, laptops connecting over
> > basement wireless) having trouble reaching Google / not reaching Google
> > at all.. Bike Project machine still not reaching Google, when I last
> > checked on Friday, Aug. 29.
> >
> >
> > Cheers,
> >
> > Barry
> >
> > > The thing is, it's a super-easy fix on a linux
> > > system to get it to work right with our firewall (adding
> > > net.ipv4.tcp_window_scaling = 0 to the /etc/sysctl.conf file) but a
> > > super-hard one to fix on the firewall itself. All the workstations and
> > > public access terminals in the building already have that fix set up,
> > > and the problem doesn't even seem to effect most computers. I've just
> > > never had to fix the problem on a FreeBSD box before, so I'm still
> > > trying to ascertain the correct sysctl.conf directive
> > > (net.inet.tcp.rfc1323 = 0 is the correct fix from everything I've read).
> > > We plan on completely overhauling the firewall; it's just that up to
> > > this point it would mean a significant amount of downtime for the whole
> > > building while the firewall's operating system is replaced and
> > > recompiled. We only recently managed to afford the hardware for
> > > outfitting a secondary firewall box; once we set that up, when OJC moves
> > > out (freeing up the wattage in the server room, since we can't even
> > > squeeze one more box in there on the current circuit) we'll stick the
> > > second firewall in, bridge the connections across, then take out the
> > > first firewall for recompiling, thus minimizing downtime. I'm still
> > > trying to implement a fix, but at worst everything will work when we
> > > overhaul the network at the end of the month.
> > >
> > > Barry Isralewitz wrote:
> > > > On Fri, Aug 01, 2008 at 08:57:32PM -0500, Josh King wrote:
> > > >
> > > >> Hey Barry,
> > > >>
> > > >> Damn. I'm pretty certain that the thing I'm trying to fix (the size of
> > > >> the TCP packet frames) is the problem, since as it turns out the
> > > >> computer in the library has developed the same issue where it can't
> > > >> reach google, and the TCP frames is a familiar bugfix which eliminated
> > > >> the problem on the library computer. However, I've never had to
> > > >> implement that fix before on a FreeBSD computer. It may be that I have
> > > >> the option wrong. I'll look into it a little more and get back to you,
> > > >> sorry about that.
> > > >
> > > > Thanks much for the work on this.
> > > >
> > > > Any chance this is a problem with a router setting in the building, and not
> > > > the FreeBSD machine? Quick test (which I wish I'd done the last time I was in
> > > > the IMC): unplug the RJ-45 from Bike Project machine (temporarily),
> > > > so you can plug it in a known-good laptop. If the laptop behaves the same way
> > > > as the Bike Project FeeBSD machine, (i.e. can reach everything except google),
> > > > might help figure out where the problem is. Apologies if you've already
> > > > thought of this ...
> > > >
> > > >
> > > > Cheers,
> > > >
> > > > Barry
> > > >
> > > >> Barry Isralewitz wrote:
> > > >>> Hi,
> > > >>>
> > > >>> On Fri, Aug 01, 2008 at 01:32:25PM -0500, Josh King wrote:
> > > >>>> Hey Barry,
> > > >>>>
> > > >>>> I forgot that your computer doesn't have sudo installed, so my account
> > > >>>> on there doesn't have administrative access. In any event, I believe
> > > >>>> that the fix is to add the line:
> > > >>>>
> > > >>>> net.inet.tcp.rfc1323 = 0
> > > >>>>
> > > >>>> to the end of the file /etc/sysctl.conf, and either restart the computer
> > > >>>> or run the command (as root) sysctl -f /etc/sysctl.conf
> > > >>>>
> > > >>>> If that works, then you can remove my account (`pw userdel jking` should
> > > >>>> work) and shut off sshd (change enable_sshd="YES" to enable_sshd="NO" in
> > > >>>> /etc/rc.conf, and run /etc/rc.d/sshd stop). Let me know whether this is
> > > >>>> successful.
> > > >>>> --
> > > >>>> Josh King
> > > >>> Thanks!
> > > >>>
> > > >>> I added above net.inet line and rebooted, but did not seem to help much...
> > > >>>
> > > >>>
> > > >>> Cheers,
> > > >>>
> > > >>> Barry
> > > >>>> --
> > > >>>> josh at ucimc.org
> > > >>>> --
> > > >>>> System Administrator, Chambana.net (http://www.chambana.net)
> > > >>>> --
> > > >>>> "I am an Anarchist not because I believe Anarchism is the final goal,
> > > >>>> but because there is no such thing as a final goal." -Rudolf Rocker
> > > >>>>
> > > >>>>
> > > >>>
> > > >>>
> > > >> --
> > > >> Josh King
> > > >> --
> > > >> josh at ucimc.org
> > > >> --
> > > >> System Administrator, Chambana.net (http://www.chambana.net)
> > > >> --
> > > >> "I am an Anarchist not because I believe Anarchism is the final goal,
> > > >> but because there is no such thing as a final goal." -Rudolf Rocker
> > > >>
> > > >>
> > > >
> > > >
> > > >
> > >
> > > --
> > > Josh King
> > > --
> > > josh at ucimc.org
> > > --
> > > System Administrator, Chambana.net (http://www.chambana.net)
> > > --
> > > "I am an Anarchist not because I believe Anarchism is the final goal,
> > > but because there is no such thing as a final goal." -Rudolf Rocker
> > >
> > >
> >
> >
> >
> > --
> > Barry Isralewitz, Ph. D.
> > Theoretical and Computational Biophysics Group,
> > University of Illinois at Urbana-Champaign
> > Beckman 3043 Phone: (217) 244-1612 Home Phone: (217) 337-6364
> > email: barryi at ks.uiuc.edu http://www.ks.uiuc.edu/~barryi
>
> --
> Barry Isralewitz, Ph. D.
> Theoretical and Computational Biophysics Group,
> University of Illinois at Urbana-Champaign
> Beckman 3043 Phone: (217) 244-1612 Home Phone: (217) 337-6364
> email: barryi at ks.uiuc.edu http://www.ks.uiuc.edu/~barryi
> _______________________________________________
> IMC-Tech mailing list
> IMC-Tech at lists.ucimc.org
> http://lists.chambana.net/cgi-bin/listinfo/imc-tech
More information about the IMC-Tech
mailing list