Mysterious packets with stateful ipfw+nat
James Halstead
jhalstead at fsisys.com
Sat Dec 2 13:44:43 PST 2006
Luigi Rizzo wrote:
> On Sat, Dec 02, 2006 at 09:00:13PM +0100, Max Laier wrote:
>> On Saturday 02 December 2006 19:00, James Halstead wrote:
>>> Ok, the "obvious" part that I think I was missing while it was late,
>>> was that these must be keep-alive packets generated by the firewall as
>>> the dynamic rules are about to expire. That being the case however,
>>> shouldn't these keep-alive packets take the same action as the original
>>> rule (skipto 1000 and be diverted through NAT for processing)?
>> keep-alive packets are marked with M_SKIP_FIREWALL in
>> netinet/ip_fw2.c::send_pkt You could try to remove that, rebuild and see
>> if it helps. I'm not sure what the reasoning behind this setting was and
>> have no idea what implications it has to change it. If it helps your
>> setup we might want to consider a sysctl to change that behavior.
>
> if i remember well, the M_SKIP_FIREWALL is because otherwise they
> would reset the timer for the session as if a reply had come from
> the other side.
> i understand that this makes the interaction with nat a bit problematic.
> On te other hand, i don't have a better solution.
Makes sense.
What about having the keep-alive packets take the action of the parent
rule? I don't know if that is possible but it seems like it would solve
the problem.
A note should be added to ipfw(8) to document this behavior, as knowing
keep-alive skips the firewall would have saved me a lot of headache.
Looks like ip_fw2.c comments are the only place that mention this.
Thanks,
-James
>
> cheers
> luigi
>
[snip]
More information about the freebsd-ipfw
mailing list