ECN or Explicit Congestion Notification was added in Linux 2.4 kernel. Some companies are filtering packets that has bits in the packet header flipped in the reserved space thinking someone is trying to mangle packets to get around security. But these reserved bits are there for the new features like ECN, so it can be added.
http://www.tux.org/lkml/#s14-2
Why does the 2.4 kernel report Connection refused when connecting to sites which work fine with earlier kernels?
(DW) The 2.4 kernel is designed to make your Internet Experience more pleasurable. One of the ways in which it does so is by implementing Explicit Congestion Notification - a new method defined in RFC 2481 for improving TCP performance in the the presence of congestion by allowing routers to provide an early warning of traffic flow problems.
Unfortunately, there are bugs in some firewall products which cause them to reject incoming packets with ECN enabled. If your own firewall is broken in this respect, you should check with your vendor for a fix.
If the site to which you cannot connect is not under your control, then after you have contacted the administrator of the offending site to let them know about their problem, you can disable ECN in the 2.4 kernel either by disabling the CONFIG_INET_ECN option and recompiling the kernel, or by executing the following command as root:
# echo 0 >/proc/sys/net/ipv4/tcp_ecn
You might also take a look at http://www.aciri.org/floyd/ecn.html for more details on the ECN changes.
Slashdot Mirror
ECN or Explicit Congestion Notification was added in Linux 2.4 kernel. Some companies are filtering packets that has bits in the packet header flipped in the reserved space thinking someone is trying to mangle packets to get around security. But these reserved bits are there for the new features like ECN, so it can be added.
http://www.tux.org/lkml/#s14-2
Why does the 2.4 kernel report Connection refused when connecting to sites which work fine with earlier kernels?
(DW) The 2.4 kernel is designed to make your Internet Experience more pleasurable. One of the ways in which it does so is by implementing Explicit Congestion Notification - a new method defined in RFC 2481 for improving TCP performance in the the presence of congestion by allowing routers to provide an early warning of traffic flow problems.
Unfortunately, there are bugs in some firewall products which cause them to reject incoming packets with ECN enabled. If your own firewall is broken in this respect, you should check with your vendor for a fix.
If the site to which you cannot connect is not under your control, then after you have contacted the administrator of the offending site to let them know about their problem, you can disable ECN in the 2.4 kernel either by disabling the CONFIG_INET_ECN option and recompiling the kernel, or by executing the following command as root:
# echo 0 >
You might also take a look at http://www.aciri.org/floyd/ecn.html for more details on the ECN changes.
-- Ingram