From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 12 13:03:13 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20F06106566C for ; Sat, 12 Sep 2009 13:03:13 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id DA3968FC14 for ; Sat, 12 Sep 2009 13:03:12 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id 190C5730DA; Sat, 12 Sep 2009 15:09:13 +0200 (CEST) Date: Sat, 12 Sep 2009 15:09:13 +0200 From: Luigi Rizzo To: Cypher Wu Message-ID: <20090912130913.GA46135@onelab2.iet.unipi.it> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Cc: freebsd-ipfw@freebsd.org Subject: Re: Transparent firewall & Dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Sep 2009 13:03:13 -0000 On Sat, Sep 12, 2009 at 03:32:54PM +0800, Cypher Wu wrote: > I want to build a transparent firewall based on IPFW. For static rules > this is fine, but for dynamic rules, ipfw uses keepalive packet to > avoid deleting a dynamic rule that both ends are still alive but don't > issue any traffic for a long time. But this means the firewall should > have it's own IPs and is not transparent anymore. keepalives carry the addresses of the two endpoints, the firewall is not visible.