On 04/03/18 12:54, Andrey V. Elsukov wrote:
On 03.04.2018 13:45, Andrey V. Elsukov wrote:
Can anybody give any hint about the above behaviours or point me to good
documentation? The man pages is very brief on this, unfortunately.
Hi,
ipfw uses M_SKIP_FIREWALL flag for self-generated packets. Thus
keep-alive packets are sent bypass the rules. When you use NAT, I guess
keep-alive packets have private source address, because they are not go
through the NAT rule. And because of this remote host drops them without
reply. Since there are no replies to keep-alive requests, a state times
out.
You can try this patch:
https://people.freebsd.org/~ae/ipfw_bypass_own_packets11.diff
It adds sysctl variable net.inet.ip.fw.bypass_own_packets, that can
control the behavior of M_SKIP_FIREWALL flag.
Hello.
Now that this patch applies cleanly to 11.2, I tried it.
After setting net.inet.ip.fw.bypass_own_packets to 0, I run the same
tests again: unfortunately nothing seems to have changed... I only see
keep-alive packets when there's no NAT or FWD rule involved.
Is anything more required besides patching, recompiling the kernel and
tuning the sysctl? Perhaps this setting must be done on boot and cannot
be enabled later or something like that?
For wishmaster:
Since you said it works for you, can I ask which FreeBSD version you
tested this on? Do you have any other patch or specific setup? How did
you test this?
Thanks a lot to anyone
Andrea Venturoli
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
