On 04/03/18 12:54, Andrey V. Elsukov wrote:
On 03.04.2018 13:45, Andrey V. Elsukov wrote:
Can anybody give any hint about the above behaviours or point me to good
documentation? The man pages is very brief on this, unfortunately.


Thanks for your answer.

ipfw uses M_SKIP_FIREWALL flag for self-generated packets. Thus
keep-alive packets are sent bypass the rules. When you use NAT, I guess
keep-alive packets have private source address, because they are not go
through the NAT rule. And because of this remote host drops them without

If this is the reason, since I run tcpdump on the client (internal network) I should have seen them arriving, shouldn't I?

You can try this patch:


It adds sysctl variable net.inet.ip.fw.bypass_own_packets, that can
control the behavior of M_SKIP_FIREWALL flag.

It seems this is a patch against HEAD and it doesn't apply cleanly to 11.1R. Unfortunately the file it modifies seems to have changed a lot and I don't know how to adapt this.

Is there a plan to get this patch in the source in the future?
If not, why? Are there any disadvantages?

 bye & Thanks
freebsd-net@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Reply via email to