I installed Redhat Enterprise 8.5 (using a free personal developer licence) which comes with kernel 4.18. Decided to modernize and use an nft based firewall script.
At first glance it works. But a subset of the internet is inaccessible. Specifically, any attempt to access http://news.yahoo.com fails from any machine other than the gateway machine itself. Paring the script down to the bare minimum, which I paste here:
table ip nat { chain postrouting { type nat hook postrouting priority filter; policy accept; oifname "ppp0" masquerade } }
everything works except news.yahoo.com (and it appears other things on the same CDN or whatever).
I figured I'd wait until RHEL9 and its newer kernel, but I did a test using another machine running FC39 (same kernel version) and the problem is the same.
These setups can still load my old iptables based firewall config. That also works but also has the problem above. It does not on the old CENTOS 6 machine. I'm stumped. Where can I even begin to go for help with this?
If your network is sufficiently messed up, the incoming SYN+ACK from Yahoo may encourage your client to send too large of a packet on the local network, which could be dropped without a needs frag as well, if you've got enough cookies, that can cause connection stalls early on.
From my time at Yahoo Travel, and the hostnames I get back from DNS, it doesn't look like news.yahoo.com is using a CDN; I'm getting geodns'ed to a load balancer in a nearby colo. The images (s.yimg.com) are served by Yahoo's in-house CDN though and get an edge box in a nearby internet exchange (I think; can't exactly tell).