On 04/03/18 12:54, Andrey V. Elsukov wrote:
On 03.04.2018 13:45, Andrey V. Elsukov wrote:
Can anybody give any hint about the above behaviours or point me to good
documentation? The man pages is very brief on this, unfortunately.

Hi,

Thanks for your answer.



ipfw uses M_SKIP_FIREWALL flag for self-generated packets. Thus
keep-alive packets are sent bypass the rules. When you use NAT, I guess
keep-alive packets have private source address, because they are not go
through the NAT rule. And because of this remote host drops them without
reply.

If this is the reason, since I run tcpdump on the client (internal network) I should have seen them arriving, shouldn't I?



You can try this patch:

        https://people.freebsd.org/~ae/ipfw_bypass_own_packets11.diff

It adds sysctl variable net.inet.ip.fw.bypass_own_packets, that can
control the behavior of M_SKIP_FIREWALL flag.

It seems this is a patch against HEAD and it doesn't apply cleanly to 11.1R. Unfortunately the file it modifies seems to have changed a lot and I don't know how to adapt this.

Is there a plan to get this patch in the source in the future?
If not, why? Are there any disadvantages?


 bye & Thanks
        av.
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Reply via email to