If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Strange web access problem
Hi there,
I am seeing a strange problem with my system: Asus K8NE deluxe Windows XP home and Windows XP 64, xp firewall disabled Mozilla 1.7 / Firefox / IE With the Nvidia motherboard firewall enabled (even on low setting), I get the error message "operation timed out when attempting to contact..." with certain websites, eg: www.tesco.com www.dabs.com www.insight.com If I turn the Nvidia firewall off, I can access the websites no problem. I assume I need to create a rule in the firewall to allow something through, but am not sure what? There are no entries in the firewall log, but the information tab shows that some outgoing packets are being blocked. All I can think to do is install ethereal and try and spot which packets are getting stopped. Can anyone suggest an easier option (other than turning off the firewall ?) Cheers, Chris. -- cut along the dotted line to reply |
#2
|
|||
|
|||
In article , Chris
wrote: Hi there, I am seeing a strange problem with my system: Asus K8NE deluxe Windows XP home and Windows XP 64, xp firewall disabled Mozilla 1.7 / Firefox / IE With the Nvidia motherboard firewall enabled (even on low setting), I get the error message "operation timed out when attempting to contact..." with certain websites, eg: www.tesco.com www.dabs.com www.insight.com If I turn the Nvidia firewall off, I can access the websites no problem. I assume I need to create a rule in the firewall to allow something through, but am not sure what? There are no entries in the firewall log, but the information tab shows that some outgoing packets are being blocked. All I can think to do is install ethereal and try and spot which packets are getting stopped. Can anyone suggest an easier option (other than turning off the firewall ?) Cheers, Chris. Port number assignments are listed he http://www.iana.org/assignments/port-numbers Port 80 is used to http and port 443 is used for https. Probably better to use an interface to the firewall, that filters based on application type, as all the ports for secure or non-secure browser operation could be opened with one operation in the interface. There might be a web page somewhere, that groups the port numbers by application. This page hints at the nature of the problem. Any URL that uses an explicitly set port like 8000 or 8080, is going to be stopped by your firewall. In the old days, people using custom port numbers for web servers was common, but that of course, makes programming a firewall an unscalable task. http://www.firetower.com/faqs/proxie...rts-other.html Is there an interface in the Nvidia software, to make setting up the firewall, as a function of application type ? Like selecting "browser" turns on 80 and 443 ? Paul |
#3
|
|||
|
|||
Paul wrote:
Port number assignments are listed he http://www.iana.org/assignments/port-numbers Port 80 is used to http and port 443 is used for https. Probably better to use an interface to the firewall, that filters based on application type, as all the ports for secure or non-secure browser operation could be opened with one operation in the interface. There might be a web page somewhere, that groups the port numbers by application. This page hints at the nature of the problem. Any URL that uses an explicitly set port like 8000 or 8080, is going to be stopped by your firewall. In the old days, people using custom port numbers for web servers was common, but that of course, makes programming a firewall an unscalable task. http://www.firetower.com/faqs/proxie...rts-other.html Is there an interface in the Nvidia software, to make setting up the firewall, as a function of application type ? Like selecting "browser" turns on 80 and 443 ? Paul Hi Paul, Thanks for the response. There are wizards to setup different access (eg web browser) but using them hasn't helped. The puzzle is that I have only come across 3 maybe 4 websites that I can't access in the 3+ months I have had this motherboard - everything else (non secure, secure, plugins etc) has worked fine. I have run ethereal with firewall on and firewall off and can't really spot any difference (except for the fact that I can access the problem websites when it is off) - the only thing is some packet checksum errors which I guess might cause the packet to be blocked? Cheers, Chris -- cut along the dotted line to reply |
#4
|
|||
|
|||
In article , Chris
wrote: Paul wrote: Port number assignments are listed he http://www.iana.org/assignments/port-numbers Port 80 is used to http and port 443 is used for https. Probably better to use an interface to the firewall, that filters based on application type, as all the ports for secure or non-secure browser operation could be opened with one operation in the interface. There might be a web page somewhere, that groups the port numbers by application. This page hints at the nature of the problem. Any URL that uses an explicitly set port like 8000 or 8080, is going to be stopped by your firewall. In the old days, people using custom port numbers for web servers was common, but that of course, makes programming a firewall an unscalable task. http://www.firetower.com/faqs/proxie...rts-other.html Is there an interface in the Nvidia software, to make setting up the firewall, as a function of application type ? Like selecting "browser" turns on 80 and 443 ? Paul Hi Paul, Thanks for the response. There are wizards to setup different access (eg web browser) but using them hasn't helped. The puzzle is that I have only come across 3 maybe 4 websites that I can't access in the 3+ months I have had this motherboard - everything else (non secure, secure, plugins etc) has worked fine. I have run ethereal with firewall on and firewall off and can't really spot any difference (except for the fact that I can access the problem websites when it is off) - the only thing is some packet checksum errors which I guess might cause the packet to be blocked? Cheers, Chris Have you been fiddling with MTU ? Maybe your problem is related to packet length and the "don't fragment" bit. MTU problems can results from packets passing through network devices that encapsulate them (like PPPOE), as the extra header counts as part of the maximum packet size, so the real payloads have to be smaller than normal. I had a problem once, where suddenly my email wouldn't work if I had an attachment on outgoing email. A short email would get through, but a large one wouldn't. I phoned tech support at my ISP, and they were all "oh, sir, it is your crappy misadjusted equipment causing the problem", when in fact, they had been changing the email server, and I had to set the MTU on my email computer, to work with their email server, even though every other site I connected to worked fine. The email server was apparently implementing what I believe is called a "black hole". As I understand it (it has been a while since I fixed this), normally a computer sends a packet, and if the packet gets jammed somewhere along the way, the offender sends something back, and then your node can fragment the packet into pieces and try again. I think this may involve an ICMP packet. Well, ICMP is also used for "ping", and ping is used for buffer overflow attacks on Internet machines. So, clever IT staff turn off ICMP on a machine (like my email server), to stop that kind of thing. Everything would have been fine, if the email server had a normal sized MTU, but for some reason it didn't. When a too big packet goes to that machine, no ICMP with the bad news comes back, and TCP in my case at that point was deadlocked. I would have to kill my email client to escape. This thread gives some sample terminology: http://groups.google.com/groups?thre...%40tkmsftngp04 Now, I tried sniffing to your sample sites, and I don't see any weird port numbers. My sniffing tool doesn't have the notion of CRC errors, and you would think my router would drop an errored packet anyway. I also tried the ping -l style test, and in fact, had trouble sooner with my own ISP's web site, than I did with Dabs. So, I'm not convinced there is a black hole problem here. (Right now, I can ping two of them, and not the third.) The three sites are commercial. Is that significant ? I'm afraid I've run out of ideas. I don't know if your CRC error observation is significant or not. I don't even know if CRC is carried through the Internet (end to end protection), or whether it is point to point. Since TCP/IP is a reliable protocol, I would think it would be acceptable for an interface somewhere along the path between source and dest, for an errored packet to be dropped. I don't think there is any benefit to carrying an errored packet all the way to the final receiver. Does that mean the errors you are detecting are in the final hop to your computer ? In your position, I would either play with the MTU or the black hole detection in the Registry. In any case, plenty of Googling ahead for you :-) Hope you can reach Google :-))) Perhaps someone in a networking newsgroup could help ? Paul |
#5
|
|||
|
|||
Paul wrote:
In your position, I would either play with the MTU or the black hole detection in the Registry. In any case, plenty of Googling ahead for you :-) Hope you can reach Google :-))) Perhaps someone in a networking newsgroup could help ? Paul Hi Paul, Thanks again for your help. MTU settings all seem to be at default. All the problem websites have checksum erors (maybe just a coincidence) on packets outgoing from my pc but I haven't seen a setting to prevent these being blocked by the firewall (if they are being blocked). Interestingly, one website that used to be a problem was www.richersounds.com. The website has been redesigned, and now I can access it. Time to ask in one of the networking newsgroups (now that I have hopefully established it's not something blindingly obvious). Cheers, Chris. -- cut along the dotted line to reply |
#6
|
|||
|
|||
Hello,
On Fri, 03 Dec 2004 18:07:17 +0000, Chris wrote: Hi there, I am seeing a strange problem with my system: Asus K8NE deluxe Windows XP home and Windows XP 64, xp firewall disabled Mozilla 1.7 / Firefox / IE With the Nvidia motherboard firewall enabled (even on low setting), I get the error message "operation timed out when attempting to contact..." with certain websites, eg: www.tesco.com www.dabs.com www.insight.com If I turn the Nvidia firewall off, I can access the websites no problem. I assume I need to create a rule in the firewall to allow something through, but am not sure what? There are no entries in the firewall log, but the information tab shows that some outgoing packets are being blocked. All I can think to do is install ethereal and try and spot which packets are getting stopped. Can anyone suggest an easier option (other than turning off the firewall ?) Cheers, Chris. -- Does your Nvidia firewall include a popup killer? It seems that some sites cannot be accessed with a popup killer in function. Does your firewall include a blacklist with forbidden sites? Then take a look at that blacklist. Max M. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Strange sound problem on Win XP | G | Homebuilt PC's | 3 | July 26th 04 04:43 AM |
Strange P4G8X Deluxe Problem | Geoffrey DeWan | Asus Motherboards | 3 | July 4th 04 08:33 PM |
Strange FSB problem | mark palmquist | Overclocking AMD Processors | 8 | March 12th 04 02:29 PM |
strange asus motherboard/graphics card problem | Scott | Asus Motherboards | 5 | January 8th 04 02:19 PM |
Strange video problem: Random standby mode switching | ttvp | Homebuilt PC's | 0 | June 23rd 03 11:37 PM |