--- Original Message --- From: "Andrea Venturoli" Date: 7 April 2018, 17:19:00
> On 04/03/18 12:54, Andrey V. Elsukov wrote: > > On 03.04.2018 13:45, Andrey V. Elsukov wrote: > >>> Can anybody give any hint about the above behaviours or point me to good > >>> documentation? The man pages is very brief on this, unfortunately. > >> > >> Hi, > > Thanks for your answer. > > > > >> ipfw uses M_SKIP_FIREWALL flag for self-generated packets. Thus > >> keep-alive packets are sent bypass the rules. When you use NAT, I guess > >> keep-alive packets have private source address, because they are not go > >> through the NAT rule. And because of this remote host drops them without > >> reply. > > If this is the reason, since I run tcpdump on the client (internal > network) I should have seen them arriving, shouldn't I? > > > > > You can try this patch: > > > > https://people.freebsd.org/~ae/ipfw_bypass_own_packets11.diff > > > > It adds sysctl variable net.inet.ip.fw.bypass_own_packets, that can > > control the behavior of M_SKIP_FIREWALL flag. > > It seems this is a patch against HEAD and it doesn't apply cleanly to > 11.1R. Unfortunately the file it modifies seems to have changed a lot > and I don't know how to adapt this. > > Is there a plan to get this patch in the source in the future? > If not, why? Are there any disadvantages? I have tested this patch (with some modifications) and with this patch ipfw works as expected for users behind NAT without any side effects. --- Vitaly _______________________________________________ email@example.com mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"