Questions about ipfw's dynamic rules' dyn_keepalive
Andrey V. Elsukov
bu7cher at yandex.ru
Tue Apr 3 10:56:19 UTC 2018
On 03.04.2018 13:45, Andrey V. Elsukov wrote:
>> Can anybody give any hint about the above behaviours or point me to good
>> documentation? The man pages is very brief on this, unfortunately.
>
> Hi,
>
> ipfw uses M_SKIP_FIREWALL flag for self-generated packets. Thus
> keep-alive packets are sent bypass the rules. When you use NAT, I guess
> keep-alive packets have private source address, because they are not go
> through the NAT rule. And because of this remote host drops them without
> reply. Since there are no replies to keep-alive requests, a state times
> out.
You can try this patch:
https://people.freebsd.org/~ae/ipfw_bypass_own_packets11.diff
It adds sysctl variable net.inet.ip.fw.bypass_own_packets, that can
control the behavior of M_SKIP_FIREWALL flag.
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20180403/63d07e25/attachment.sig>
More information about the freebsd-net
mailing list