Questions about ipfw's dynamic rules' dyn_keepalive
    Andrea Venturoli 
    ml at netfence.it
       
    Sat Apr  7 14:18:25 UTC 2018
    
    
  
On 04/03/18 12:54, Andrey V. Elsukov wrote:
> On 03.04.2018 13:45, Andrey V. Elsukov wrote:
>>> Can anybody give any hint about the above behaviours or point me to good
>>> documentation? The man pages is very brief on this, unfortunately.
>>
>> Hi,
Thanks for your answer.
>> ipfw uses M_SKIP_FIREWALL flag for self-generated packets. Thus
>> keep-alive packets are sent bypass the rules. When you use NAT, I guess
>> keep-alive packets have private source address, because they are not go
>> through the NAT rule. And because of this remote host drops them without
>> reply.
If this is the reason, since I run tcpdump on the client (internal 
network) I should have seen them arriving, shouldn't I?
> You can try this patch:
> 
> 	https://people.freebsd.org/~ae/ipfw_bypass_own_packets11.diff
> 
> It adds sysctl variable net.inet.ip.fw.bypass_own_packets, that can
> control the behavior of M_SKIP_FIREWALL flag.
It seems this is a patch against HEAD and it doesn't apply cleanly to 
11.1R. Unfortunately the file it modifies seems to have changed a lot 
and I don't know how to adapt this.
Is there a plan to get this patch in the source in the future?
If not, why? Are there any disadvantages?
  bye & Thanks
	av.
    
    
More information about the freebsd-net
mailing list