From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 12 07:32:54 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 79CCA1065672 for ; Sat, 12 Sep 2009 07:32:54 +0000 (UTC) (envelope-from cypher.w@gmail.com) Received: from mail-pz0-f200.google.com (mail-pz0-f200.google.com [209.85.222.200]) by mx1.freebsd.org (Postfix) with ESMTP id 567A48FC13 for ; Sat, 12 Sep 2009 07:32:54 +0000 (UTC) Received: by pzk38 with SMTP id 38so1383932pzk.9 for ; Sat, 12 Sep 2009 00:32:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=+wexgHahUG8py0gCDEDnEMClX5sgeZOVC+zhnkSGFuM=; b=BsvAxLsiqJ8ZkTs2SZd447RsB46uGSg02wW7zZhvzGs/6TxNGyVt4w8hbqdyjZWahQ ASdssJ55dYvlQiMl8H8Qw2w49YRPmSmjTd5EQGjl2JMXRqf9Icqbfg7C0YxO5Ksk6VT+ 3SCGjCc7YE9csjKAYXfP6NdXwTmQDBsZh1mrM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=hZinSqltCUJ/mSlI83GdSKFHMAaYK0D3CUIKsbvL95WEJZZXNbQroHzZtu0ZJ4ASjv LidH70jHyHfL898HKTmrCB3uSH5I/2l4ZDevkO1HbOmo+gj3Ep78nOCHdAxZbrLTidWR NhcyBFLwlHH4Y+7YBdCEJCD2Jrzs3fw6SAhX4= MIME-Version: 1.0 Received: by 10.143.26.32 with SMTP id d32mr343477wfj.297.1252740774043; Sat, 12 Sep 2009 00:32:54 -0700 (PDT) Date: Sat, 12 Sep 2009 15:32:54 +0800 Message-ID: From: Cypher Wu To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Transparent firewall & Dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Sep 2009 07:32:54 -0000 I want to build a transparent firewall based on IPFW. For static rules this is fine, but for dynamic rules, ipfw uses keepalive packet to avoid deleting a dynamic rule that both ends are still alive but don't issue any traffic for a long time. But this means the firewall should have it's own IPs and is not transparent anymore.