Date: Tue, 3 Apr 2018 13:45:11 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Andrea Venturoli <ml@netfence.it>, freebsd-net@freebsd.org Subject: Re: Questions about ipfw's dynamic rules' dyn_keepalive Message-ID: <756b78e2-4e65-ab03-1e91-943a77fdf45d@yandex.ru> In-Reply-To: <04ad23ad-4020-7c07-8d75-eef6e84f4de8@netfence.it> References: <04ad23ad-4020-7c07-8d75-eef6e84f4de8@netfence.it>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --ycE0NCni69gZyot7QxS76QzdkHauzKhIO Content-Type: multipart/mixed; boundary="BylzomZoN1eqTOnxgKcmus93Sy07wkhEP"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Andrea Venturoli <ml@netfence.it>, freebsd-net@freebsd.org Message-ID: <756b78e2-4e65-ab03-1e91-943a77fdf45d@yandex.ru> Subject: Re: Questions about ipfw's dynamic rules' dyn_keepalive References: <04ad23ad-4020-7c07-8d75-eef6e84f4de8@netfence.it> In-Reply-To: <04ad23ad-4020-7c07-8d75-eef6e84f4de8@netfence.it> --BylzomZoN1eqTOnxgKcmus93Sy07wkhEP Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 03.04.2018 13:15, Andrea Venturoli wrote: > Test 3: let's introduce NAT >=20 >> ipfw add 99 skipto 10000 tcp from any to external-host http setup >> keep-state >=20 > (skipto 10000 is used to allow nat rules). > With the same external host as before, now the rule times out! > =20 > Test 5: fwd to a jail on the router itself but using a different IP >=20 >> ipfw add 99 fwd 127.0.2.1 tcp from any to x.y.z.w http setup keep-stat= e >=20 > telnet x.y.z.w 80 >=20 > This time no keep-alives and the rule times out. > I tried reasoning on this, but could not come up with an explanation. >=20 > Can anybody give any hint about the above behaviours or point me to goo= d > documentation? The man pages is very brief on this, unfortunately. Hi, ipfw uses M_SKIP_FIREWALL flag for self-generated packets. Thus keep-alive packets are sent bypass the rules. When you use NAT, I guess keep-alive packets have private source address, because they are not go through the NAT rule. And because of this remote host drops them without reply. Since there are no replies to keep-alive requests, a state times out. --=20 WBR, Andrey V. Elsukov --BylzomZoN1eqTOnxgKcmus93Sy07wkhEP-- --ycE0NCni69gZyot7QxS76QzdkHauzKhIO Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlrDWzcACgkQAcXqBBDI oXooeAf8DiPgjD8j2Jep9mScX7I8pJNYzG31J/IEVk3ZSBhbh4C59aN1DAwx1V4m uS6mxjpYfQK/65+2X3G7dcUI1v5pc0ORQu4wGwto6z8BR9KyYf/7SXzyJyHscgeH llr91RrR4xrwik8C5s+do+EPCqh8fI7e+ofHujFtrTU/V1sybjRcKv0RibTEMqzn c7yE+vq8a8JrDuiAqHFBOFaoWrz6240Tmvv76paOvJP1m715WihVqS0KJONwL8Eo r/YNDaNCUxF9c5L50gbKgf4gBfPWN1+oM77XbROloUbk4z417R+v/bkF9nYi21H2 +hzr3WI8Ty8S//60nHkMegoruj8aSg== =b6on -----END PGP SIGNATURE----- --ycE0NCni69gZyot7QxS76QzdkHauzKhIO--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?756b78e2-4e65-ab03-1e91-943a77fdf45d>