Luigi Rizzo wrote:
On Sat, Dec 02, 2006 at 09:00:13PM +0100, Max Laier wrote:
On Saturday 02 December 2006 19:00, James Halstead wrote:
Ok, the "obvious" part that I think I was missing while it was late,
was that these must be keep-alive packets generated by the firewall as
the dynamic rules are about to expire. That being the case however,
shouldn't these keep-alive packets take the same action as the original
rule (skipto 1000 and be diverted through NAT for processing)?
keep-alive packets are marked with M_SKIP_FIREWALL in
netinet/ip_fw2.c::send_pkt You could try to remove that, rebuild and see
if it helps. I'm not sure what the reasoning behind this setting was and
have no idea what implications it has to change it. If it helps your
setup we might want to consider a sysctl to change that behavior.
if i remember well, the M_SKIP_FIREWALL is because otherwise they
would reset the timer for the session as if a reply had come from
the other side.
i understand that this makes the interaction with nat a bit problematic.
On te other hand, i don't have a better solution.
Makes sense.
What about having the keep-alive packets take the action of the parent
rule? I don't know if that is possible but it seems like it would solve
the problem.
A note should be added to ipfw(8) to document this behavior, as knowing
keep-alive skips the firewall would have saved me a lot of headache.
Looks like ip_fw2.c comments are the only place that mention this.
Thanks,
-James
cheers
luigi
[snip]
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
