Date: Tue, 3 Apr 2018 13:54:36 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Andrea Venturoli <ml@netfence.it>, freebsd-net@freebsd.org Subject: Re: Questions about ipfw's dynamic rules' dyn_keepalive Message-ID: <25e56a77-8374-d273-0b5e-2f11c1b03ff8@yandex.ru> In-Reply-To: <756b78e2-4e65-ab03-1e91-943a77fdf45d@yandex.ru> References: <04ad23ad-4020-7c07-8d75-eef6e84f4de8@netfence.it> <756b78e2-4e65-ab03-1e91-943a77fdf45d@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --3pbQzHjYyhniEXlwlsr6Lwxvkwk8YBPgc Content-Type: multipart/mixed; boundary="4EddIKeF57tY2C80Kd1IsdE9o5wOLvujc"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Andrea Venturoli <ml@netfence.it>, freebsd-net@freebsd.org Message-ID: <25e56a77-8374-d273-0b5e-2f11c1b03ff8@yandex.ru> Subject: Re: Questions about ipfw's dynamic rules' dyn_keepalive References: <04ad23ad-4020-7c07-8d75-eef6e84f4de8@netfence.it> <756b78e2-4e65-ab03-1e91-943a77fdf45d@yandex.ru> In-Reply-To: <756b78e2-4e65-ab03-1e91-943a77fdf45d@yandex.ru> --4EddIKeF57tY2C80Kd1IsdE9o5wOLvujc Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 03.04.2018 13:45, Andrey V. Elsukov wrote: >> Can anybody give any hint about the above behaviours or point me to go= od >> documentation? The man pages is very brief on this, unfortunately. >=20 > Hi, >=20 > ipfw uses M_SKIP_FIREWALL flag for self-generated packets. Thus > keep-alive packets are sent bypass the rules. When you use NAT, I guess= > keep-alive packets have private source address, because they are not go= > through the NAT rule. And because of this remote host drops them withou= t > reply. Since there are no replies to keep-alive requests, a state times= > out. You can try this patch: https://people.freebsd.org/~ae/ipfw_bypass_own_packets11.diff It adds sysctl variable net.inet.ip.fw.bypass_own_packets, that can control the behavior of M_SKIP_FIREWALL flag. --=20 WBR, Andrey V. Elsukov --4EddIKeF57tY2C80Kd1IsdE9o5wOLvujc-- --3pbQzHjYyhniEXlwlsr6Lwxvkwk8YBPgc Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlrDXWwACgkQAcXqBBDI oXpbqAf+NRhtkcCMY6lGmQ7nNf0lToYiC/rsz+vVCOY8x9b5FuM/3l05iNFDOS/T Qb52mOrC4iOTmLgeYBeKrciXPXUTL3JaVoQE9CGBj5SW3PAGO5cwWgfxOLitjMYj 5w6NSJ0PjXleJzNOSUCaMxxWzP0//K9JZLGdmv76ncgQj6v3NtwaIyiyxnDBEA8K gps71HHiURzw9BTyhAiDxf5wKLugefDdQ7wC+c/XNEAKJ3pyIam3ZURlDBfrqe5G 8ghOHIj3JbGXNhVR29B27jbtxIL3L68s3RaXMjVzA8UAE3UetZh4FWlM0GtYJJym sWfXCaYdlmhYIGifiI7ZmcWQctztTw== =S7Yi -----END PGP SIGNATURE----- --3pbQzHjYyhniEXlwlsr6Lwxvkwk8YBPgc--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?25e56a77-8374-d273-0b5e-2f11c1b03ff8>