On 03.04.2018 13:45, Andrey V. Elsukov wrote: >> Can anybody give any hint about the above behaviours or point me to good >> documentation? The man pages is very brief on this, unfortunately. > > Hi, > > ipfw uses M_SKIP_FIREWALL flag for self-generated packets. Thus > keep-alive packets are sent bypass the rules. When you use NAT, I guess > keep-alive packets have private source address, because they are not go > through the NAT rule. And because of this remote host drops them without > reply. Since there are no replies to keep-alive requests, a state times > out.
You can try this patch:
https://people.freebsd.org/~ae/ipfw_bypass_own_packets11.diff
It adds sysctl variable net.inet.ip.fw.bypass_own_packets, that can
control the behavior of M_SKIP_FIREWALL flag.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
