Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 07 Apr 2018 18:01:13 +0300
From:      wishmaster <artemrts@ukr.net>
To:        ml@netfence.it
Cc:        freebsd-net@freebsd.org
Subject:   Re[2]: Questions about ipfw's dynamic rules' dyn_keepalive
Message-ID:  <1523113095.663460514.l5y2tucy@frv52.fwdcdn.com>
In-Reply-To: <07ab14c5-466d-2d7e-9447-6b7d1e9bd823@netfence.it>
References:  <04ad23ad-4020-7c07-8d75-eef6e84f4de8@netfence.it> <756b78e2-4e65-ab03-1e91-943a77fdf45d@yandex.ru> <25e56a77-8374-d273-0b5e-2f11c1b03ff8@yandex.ru> <07ab14c5-466d-2d7e-9447-6b7d1e9bd823@netfence.it>

next in thread | previous in thread | raw e-mail | index | archive | help


 --- Original Message ---
 From: "Andrea Venturoli" 
 Date: 7 April 2018, 17:19:00
 


> On 04/03/18 12:54, Andrey V. Elsukov wrote:
> > On 03.04.2018 13:45, Andrey V. Elsukov wrote:
> >>> Can anybody give any hint about the above behaviours or point me to good
> >>> documentation? The man pages is very brief on this, unfortunately.
> >>
> >> Hi,
> 
> Thanks for your answer.
> 
> 
> 
> >> ipfw uses M_SKIP_FIREWALL flag for self-generated packets. Thus
> >> keep-alive packets are sent bypass the rules. When you use NAT, I guess
> >> keep-alive packets have private source address, because they are not go
> >> through the NAT rule. And because of this remote host drops them without
> >> reply.
> 
> If this is the reason, since I run tcpdump on the client (internal 
> network) I should have seen them arriving, shouldn't I?
> 
> 
> 
> > You can try this patch:
> > 
> > https://people.freebsd.org/~ae/ipfw_bypass_own_packets11.diff
> > 
> > It adds sysctl variable net.inet.ip.fw.bypass_own_packets, that can
> > control the behavior of M_SKIP_FIREWALL flag.
> 
> It seems this is a patch against HEAD and it doesn't apply cleanly to 
> 11.1R. Unfortunately the file it modifies seems to have changed a lot 
> and I don't know how to adapt this.
> 
> Is there a plan to get this patch in the source in the future?
> If not, why? Are there any disadvantages?

I have tested this patch (with some modifications) and with this patch ipfw works as expected for users behind NAT without any side effects.

---
Vitaly



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1523113095.663460514.l5y2tucy>