Questions about ipfw's dynamic rules' dyn_keepalive
Andrey V. Elsukov
bu7cher at yandex.ru
Tue Apr 3 10:46:45 UTC 2018
On 03.04.2018 13:15, Andrea Venturoli wrote:
> Test 3: let's introduce NAT
>
>> ipfw add 99 skipto 10000 tcp from any to external-host http setup
>> keep-state
>
> (skipto 10000 is used to allow nat rules).
> With the same external host as before, now the rule times out!
>
> Test 5: fwd to a jail on the router itself but using a different IP
>
>> ipfw add 99 fwd 127.0.2.1 tcp from any to x.y.z.w http setup keep-state
>
> telnet x.y.z.w 80
>
> This time no keep-alives and the rule times out.
> I tried reasoning on this, but could not come up with an explanation.
>
> Can anybody give any hint about the above behaviours or point me to good
> documentation? The man pages is very brief on this, unfortunately.
Hi,
ipfw uses M_SKIP_FIREWALL flag for self-generated packets. Thus
keep-alive packets are sent bypass the rules. When you use NAT, I guess
keep-alive packets have private source address, because they are not go
through the NAT rule. And because of this remote host drops them without
reply. Since there are no replies to keep-alive requests, a state times
out.
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20180403/289d4e6a/attachment.sig>
More information about the freebsd-net
mailing list