Re: Questions about ipfw's dynamic rules' dyn_keepalive
On 04/03/18 12:54, Andrey V. Elsukov wrote: On 03.04.2018 13:45, Andrey V. Elsukov wrote: Can anybody give any hint about the above behaviours or point me to good documentation? The man pages is very brief on this, unfortunately. Hi, ipfw uses M_SKIP_FIREWALL flag for self-generated packets. Thus keep-alive packets are sent bypass the rules. When you use NAT, I guess keep-alive packets have private source address, because they are not go through the NAT rule. And because of this remote host drops them without reply. Since there are no replies to keep-alive requests, a state times out. You can try this patch: https://people.freebsd.org/~ae/ipfw_bypass_own_packets11.diff It adds sysctl variable net.inet.ip.fw.bypass_own_packets, that can control the behavior of M_SKIP_FIREWALL flag. Hello. Now that this patch applies cleanly to 11.2, I tried it. After setting net.inet.ip.fw.bypass_own_packets to 0, I run the same tests again: unfortunately nothing seems to have changed... I only see keep-alive packets when there's no NAT or FWD rule involved. Is anything more required besides patching, recompiling the kernel and tuning the sysctl? Perhaps this setting must be done on boot and cannot be enabled later or something like that? For wishmaster: Since you said it works for you, can I ask which FreeBSD version you tested this on? Do you have any other patch or specific setup? How did you test this? Thanks a lot to anyone Andrea Venturoli ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: Questions about ipfw's dynamic rules' dyn_keepalive
On 04/03/18 12:54, Andrey V. Elsukov wrote: On 03.04.2018 13:45, Andrey V. Elsukov wrote: Can anybody give any hint about the above behaviours or point me to good documentation? The man pages is very brief on this, unfortunately. Hi, Thanks for your answer. ipfw uses M_SKIP_FIREWALL flag for self-generated packets. Thus keep-alive packets are sent bypass the rules. When you use NAT, I guess keep-alive packets have private source address, because they are not go through the NAT rule. And because of this remote host drops them without reply. If this is the reason, since I run tcpdump on the client (internal network) I should have seen them arriving, shouldn't I? You can try this patch: https://people.freebsd.org/~ae/ipfw_bypass_own_packets11.diff It adds sysctl variable net.inet.ip.fw.bypass_own_packets, that can control the behavior of M_SKIP_FIREWALL flag. It seems this is a patch against HEAD and it doesn't apply cleanly to 11.1R. Unfortunately the file it modifies seems to have changed a lot and I don't know how to adapt this. Is there a plan to get this patch in the source in the future? If not, why? Are there any disadvantages? bye & Thanks av. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: Questions about ipfw's dynamic rules' dyn_keepalive
On 03.04.2018 13:45, Andrey V. Elsukov wrote: >> Can anybody give any hint about the above behaviours or point me to good >> documentation? The man pages is very brief on this, unfortunately. > > Hi, > > ipfw uses M_SKIP_FIREWALL flag for self-generated packets. Thus > keep-alive packets are sent bypass the rules. When you use NAT, I guess > keep-alive packets have private source address, because they are not go > through the NAT rule. And because of this remote host drops them without > reply. Since there are no replies to keep-alive requests, a state times > out. You can try this patch: https://people.freebsd.org/~ae/ipfw_bypass_own_packets11.diff It adds sysctl variable net.inet.ip.fw.bypass_own_packets, that can control the behavior of M_SKIP_FIREWALL flag. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: Questions about ipfw's dynamic rules' dyn_keepalive
On 03.04.2018 13:15, Andrea Venturoli wrote: > Test 3: let's introduce NAT > >> ipfw add 99 skipto 1 tcp from any to external-host http setup >> keep-state > > (skipto 1 is used to allow nat rules). > With the same external host as before, now the rule times out! > > Test 5: fwd to a jail on the router itself but using a different IP > >> ipfw add 99 fwd 127.0.2.1 tcp from any to x.y.z.w http setup keep-state > > telnet x.y.z.w 80 > > This time no keep-alives and the rule times out. > I tried reasoning on this, but could not come up with an explanation. > > Can anybody give any hint about the above behaviours or point me to good > documentation? The man pages is very brief on this, unfortunately. Hi, ipfw uses M_SKIP_FIREWALL flag for self-generated packets. Thus keep-alive packets are sent bypass the rules. When you use NAT, I guess keep-alive packets have private source address, because they are not go through the NAT rule. And because of this remote host drops them without reply. Since there are no replies to keep-alive requests, a state times out. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature