From owner-freebsd-net@freebsd.org  Tue Apr  3 10:46:44 2018
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id BE1B3F75DFB
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Tue,  3 Apr 2018 10:46:44 +0000 (UTC)
 (envelope-from bu7cher@yandex.ru)
Received: from forward105j.mail.yandex.net (forward105j.mail.yandex.net
 [IPv6:2a02:6b8:0:801:2::108])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 34E0C76741
 for <freebsd-net@freebsd.org>; Tue,  3 Apr 2018 10:46:43 +0000 (UTC)
 (envelope-from bu7cher@yandex.ru)
Received: from mxback9g.mail.yandex.net (mxback9g.mail.yandex.net
 [IPv6:2a02:6b8:0:1472:2741:0:8b7:170])
 by forward105j.mail.yandex.net (Yandex) with ESMTP id 63693184B31;
 Tue,  3 Apr 2018 13:46:41 +0300 (MSK)
Received: from smtp4p.mail.yandex.net (smtp4p.mail.yandex.net
 [2a02:6b8:0:1402::15:6])
 by mxback9g.mail.yandex.net (nwsmtp/Yandex) with ESMTP id 4zdPTjGkrz-kf58N5Y7; 
 Tue, 03 Apr 2018 13:46:41 +0300
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail;
 t=1522752401; bh=e4G3e+9TewYG12C5XsFfKvJP+n9Re1tmFU4az63m1Ck=;
 h=Subject:To:References:From:Message-ID:Date:In-Reply-To;
 b=Nag9tlAmuQv2jZtzt4dT297dos2pFxf95Bz6/bwmmaUzDEsE8MOHkVXxDOqEVjRc/
 Fevo6YUf+YgO77bFHUIi6P5Zga0t1MNTwh4P+pyFwTY/RFUjitk27fVuddVoHcMDPz
 zYZLveZwBzhjoizW8AVzvHpxVnlupm6w4Nbu3b2o=
Received: by smtp4p.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id
 OYmP9yeLs0-keZqoXX9; Tue, 03 Apr 2018 13:46:40 +0300
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client certificate not present)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail;
 t=1522752400; bh=e4G3e+9TewYG12C5XsFfKvJP+n9Re1tmFU4az63m1Ck=;
 h=Subject:To:References:From:Message-ID:Date:In-Reply-To;
 b=YWQjfpml+kequWa1VzNr77DcEj51EK3beY/fBTdbyFS5jkcEpjivQbJI94JcaADI7
 iuENVolNap/MBoJomZ93HE9FiTvMm5F6OYzP07NR8LGOPPtunMiwaoXYrXTZNGvsgX
 RPuWAc3CIwT14kOWT7n0GgFHJuy0OH8PoDQ8y5bo=
Authentication-Results: smtp4p.mail.yandex.net; dkim=pass header.i=@yandex.ru
Subject: Re: Questions about ipfw's dynamic rules' dyn_keepalive
To: Andrea Venturoli <ml@netfence.it>, freebsd-net@freebsd.org
References: <04ad23ad-4020-7c07-8d75-eef6e84f4de8@netfence.it>
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A
Autocrypt: addr=bu7cher@yandex.ru; keydata=
 xsBNBEwBF1kBCADB9sXFhBEUy8qQ4X63Y8eBatYMHGEFWN9ypS5lI3RE6qQW2EYbxNk7qUC5
 21YIIS1mMFVBEfvR7J9uc7yaYgFCEb6Sce1RSO4ULN2mRKGHP3/Sl0ijZEjWHV91hY1YTHEF
 ZW/0GYinDf56sYpDDehaBF5wkWIo1+QK5nmj3vl0DIDCMNd7QEiWpyLVwECgLX2eOAXByT8B
 bCqVhJGcG6iFP7/B9Ll6uX5gb8thM9LM+ibwErDBVDGiOgvfxqidab7fdkh893IBCXa82H9N
 CNwnEtcgzh+BSKK5BgvPohFMgRwjti37TSxwLu63QejRGbZWSz3OK3jMOoF63tCgn7FvABEB
 AAHNIkFuZHJleSBWLiBFbHN1a292IDxhZUBmcmVlYnNkLm9yZz7CwHsEEwECACUCGwMGCwkI
 BwMCBhUIAgkKCwQWAgMBAh4BAheABQJMB/ruAhkBAAoJEAHF6gQQyKF6MLwH/3Ri/TZl9uo0
 SepYWXOnxL6EaDVXDA+dLb1eLKC4PRBBjX29ttQ0KaWapiE6y5/AfzOPmRtHLrHYHjd/aiHX
 GMLHcYRXD+5GvdkK8iMALrZ28X0JXyuuZa8rAxWIWmCbYHNSBy2unqWgTI04Erodk90IALgM
 9JeHN9sFqTM6zalrMnTzlcmel4kcjT3lyYw3vOKgoYLtsLhKZSbJoVVVlvRlGBpHFJI5AoYJ
 SyfXoN0rcX6k9X7Isp2K50YjqxV4v78xluh1puhwZyC0p8IShPrmrp9Oy9JkMX90o6UAXdGU
 KfdExJuGJfUZOFBTtNIMNIAKfMTjhpRhxONIr0emxxDOwE0ETAEXWQEIAJ2p6l9LBoqdH/0J
 PEFDY2t2gTvAuzz+8zs3R03dFuHcNbOwjvWCG0aOmVpAzkRa8egn5JB4sZaFUtKPYJEQ1Iu+
 LUBwgvtXf4vWpzC67zs2dDuiW4LamH5p6xkTD61aHR7mCB3bg2TUjrDWn2Jt44cvoYxj3dz4
 S49U1rc9ZPgD5axCNv45j72tggWlZvpefThP7xT1OlNTUqye2gAwQravXpZkl5JG4eOqJVIU
 X316iE3qso0iXRUtO7OseBf0PiVmk+wCahdreHOeOxK5jMhYkPKVn7z1sZiB7W2H2TojbmcK
 HZC22sz7Z/H36Lhg1+/RCnGzdEcjGc8oFHXHCxUAEQEAAcLAXwQYAQIACQUCTAEXWQIbDAAK
 CRABxeoEEMihegkYCAC3ivGYNe2taNm/4Nx5GPdzuaAJGKWksV+w9mo7dQvU+NmI2az5w8vw
 98OmX7G0OV9snxMW+6cyNqBrVFTu33VVNzz9pnqNCHxGvj5dL5ltP160JV2zw2bUwJBYsgYQ
 WfyJJIM7l3gv5ZS3DGqaGIm9gOK1ANxfrR5PgPzvI9VxDhlr2juEVMZYAqPLEJe+SSxbwLoz
 BcFCNdDAyXcaAzXsx/E02YWm1hIWNRxanAe7Vlg7OL+gvLpdtrYCMg28PNqKNyrQ87LQ49O9
 50IIZDOtNFeR0FGucjcLPdS9PiEqCoH7/waJxWp6ydJ+g4OYRBYNM0EmMgy1N85JJrV1mi5i
Message-ID: <756b78e2-4e65-ab03-1e91-943a77fdf45d@yandex.ru>
Date: Tue, 3 Apr 2018 13:45:11 +0300
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101
 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <04ad23ad-4020-7c07-8d75-eef6e84f4de8@netfence.it>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="ycE0NCni69gZyot7QxS76QzdkHauzKhIO"
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Apr 2018 10:46:45 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--ycE0NCni69gZyot7QxS76QzdkHauzKhIO
Content-Type: multipart/mixed; boundary="BylzomZoN1eqTOnxgKcmus93Sy07wkhEP";
 protected-headers="v1"
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: Andrea Venturoli <ml@netfence.it>, freebsd-net@freebsd.org
Message-ID: <756b78e2-4e65-ab03-1e91-943a77fdf45d@yandex.ru>
Subject: Re: Questions about ipfw's dynamic rules' dyn_keepalive
References: <04ad23ad-4020-7c07-8d75-eef6e84f4de8@netfence.it>
In-Reply-To: <04ad23ad-4020-7c07-8d75-eef6e84f4de8@netfence.it>

--BylzomZoN1eqTOnxgKcmus93Sy07wkhEP
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 03.04.2018 13:15, Andrea Venturoli wrote:
> Test 3: let's introduce NAT
>=20
>> ipfw add 99 skipto 10000 tcp from any to external-host http setup
>> keep-state
>=20
> (skipto 10000 is used to allow nat rules).
> With the same external host as before, now the rule times out!
> =20
> Test 5: fwd to a jail on the router itself but using a different IP
>=20
>> ipfw add 99 fwd 127.0.2.1 tcp from any to x.y.z.w http setup keep-stat=
e
>=20
> telnet x.y.z.w 80
>=20
> This time no keep-alives and the rule times out.
> I tried reasoning on this, but could not come up with an explanation.
>=20
> Can anybody give any hint about the above behaviours or point me to goo=
d
> documentation? The man pages is very brief on this, unfortunately.

Hi,

ipfw uses M_SKIP_FIREWALL flag for self-generated packets. Thus
keep-alive packets are sent bypass the rules. When you use NAT, I guess
keep-alive packets have private source address, because they are not go
through the NAT rule. And because of this remote host drops them without
reply. Since there are no replies to keep-alive requests, a state times
out.

--=20
WBR, Andrey V. Elsukov


--BylzomZoN1eqTOnxgKcmus93Sy07wkhEP--

--ycE0NCni69gZyot7QxS76QzdkHauzKhIO
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlrDWzcACgkQAcXqBBDI
oXooeAf8DiPgjD8j2Jep9mScX7I8pJNYzG31J/IEVk3ZSBhbh4C59aN1DAwx1V4m
uS6mxjpYfQK/65+2X3G7dcUI1v5pc0ORQu4wGwto6z8BR9KyYf/7SXzyJyHscgeH
llr91RrR4xrwik8C5s+do+EPCqh8fI7e+ofHujFtrTU/V1sybjRcKv0RibTEMqzn
c7yE+vq8a8JrDuiAqHFBOFaoWrz6240Tmvv76paOvJP1m715WihVqS0KJONwL8Eo
r/YNDaNCUxF9c5L50gbKgf4gBfPWN1+oM77XbROloUbk4z417R+v/bkF9nYi21H2
+hzr3WI8Ty8S//60nHkMegoruj8aSg==
=b6on
-----END PGP SIGNATURE-----

--ycE0NCni69gZyot7QxS76QzdkHauzKhIO--