From owner-freebsd-net@freebsd.org Sat Apr 7 14:18:25 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 225C8F8BDF6 for ; Sat, 7 Apr 2018 14:18:25 +0000 (UTC) (envelope-from ml@netfence.it) Received: from soth.netfence.it (net-2-44-121-52.cust.vodafonedsl.it [2.44.121.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mailserver.netfence.it", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 86BB37A03E for ; Sat, 7 Apr 2018 14:18:23 +0000 (UTC) (envelope-from ml@netfence.it) Received: from alamar.ventu (alamar.local.netfence.it [10.1.2.18]) (authenticated bits=0) by soth.netfence.it (8.15.2/8.15.2) with ESMTPSA id w37EI5Ut038945 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Sat, 7 Apr 2018 16:18:12 +0200 (CEST) (envelope-from ml@netfence.it) X-Authentication-Warning: soth.netfence.it: Host alamar.local.netfence.it [10.1.2.18] claimed to be alamar.ventu Subject: Re: Questions about ipfw's dynamic rules' dyn_keepalive To: "Andrey V. Elsukov" , freebsd-net@freebsd.org References: <04ad23ad-4020-7c07-8d75-eef6e84f4de8@netfence.it> <756b78e2-4e65-ab03-1e91-943a77fdf45d@yandex.ru> <25e56a77-8374-d273-0b5e-2f11c1b03ff8@yandex.ru> From: Andrea Venturoli Message-ID: <07ab14c5-466d-2d7e-9447-6b7d1e9bd823@netfence.it> Date: Sat, 7 Apr 2018 16:18:04 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <25e56a77-8374-d273-0b5e-2f11c1b03ff8@yandex.ru> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Apr 2018 14:18:25 -0000 On 04/03/18 12:54, Andrey V. Elsukov wrote: > On 03.04.2018 13:45, Andrey V. Elsukov wrote: >>> Can anybody give any hint about the above behaviours or point me to good >>> documentation? The man pages is very brief on this, unfortunately. >> >> Hi, Thanks for your answer. >> ipfw uses M_SKIP_FIREWALL flag for self-generated packets. Thus >> keep-alive packets are sent bypass the rules. When you use NAT, I guess >> keep-alive packets have private source address, because they are not go >> through the NAT rule. And because of this remote host drops them without >> reply. If this is the reason, since I run tcpdump on the client (internal network) I should have seen them arriving, shouldn't I? > You can try this patch: > > https://people.freebsd.org/~ae/ipfw_bypass_own_packets11.diff > > It adds sysctl variable net.inet.ip.fw.bypass_own_packets, that can > control the behavior of M_SKIP_FIREWALL flag. It seems this is a patch against HEAD and it doesn't apply cleanly to 11.1R. Unfortunately the file it modifies seems to have changed a lot and I don't know how to adapt this. Is there a plan to get this patch in the source in the future? If not, why? Are there any disadvantages? bye & Thanks av.