From owner-freebsd-ipfw@FreeBSD.ORG Sat Dec 2 21:44:43 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0FBC116A403 for ; Sat, 2 Dec 2006 21:44:43 +0000 (UTC) (envelope-from jhalstead@fsisys.com) Received: from hub.fsisys.com (hub.fsisys.com [65.73.42.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id E9FD643CA5 for ; Sat, 2 Dec 2006 21:44:19 +0000 (GMT) (envelope-from jhalstead@fsisys.com) Received: from 127.0.0.1 (localhost [127.0.0.1]) by dummy.domain.name (Postfix) with SMTP id 09C7A3677C; Sat, 2 Dec 2006 16:44:42 -0500 (EST) Received: from [127.0.0.1] (gateway.fsisys.com [192.168.1.1]) by hub.fsisys.com (Postfix) with ESMTP id 62115366B9; Sat, 2 Dec 2006 16:44:41 -0500 (EST) Message-ID: <4571F3C9.7060302@fsisys.com> Date: Sat, 02 Dec 2006 15:44:41 -0600 From: James Halstead User-Agent: Thunderbird 1.5.0.8 (X11/20061115) MIME-Version: 1.0 To: Luigi Rizzo References: <45711296.8010709@fsisys.com> <4571BF45.3010608@fsisys.com> <200612022100.24704.max@love2party.net> <20061202122121.A3343@xorpc.icir.org> In-Reply-To: <20061202122121.A3343@xorpc.icir.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: Mysterious packets with stateful ipfw+nat X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Dec 2006 21:44:43 -0000 Luigi Rizzo wrote: > On Sat, Dec 02, 2006 at 09:00:13PM +0100, Max Laier wrote: >> On Saturday 02 December 2006 19:00, James Halstead wrote: >>> Ok, the "obvious" part that I think I was missing while it was late, >>> was that these must be keep-alive packets generated by the firewall as >>> the dynamic rules are about to expire. That being the case however, >>> shouldn't these keep-alive packets take the same action as the original >>> rule (skipto 1000 and be diverted through NAT for processing)? >> keep-alive packets are marked with M_SKIP_FIREWALL in >> netinet/ip_fw2.c::send_pkt You could try to remove that, rebuild and see >> if it helps. I'm not sure what the reasoning behind this setting was and >> have no idea what implications it has to change it. If it helps your >> setup we might want to consider a sysctl to change that behavior. > > if i remember well, the M_SKIP_FIREWALL is because otherwise they > would reset the timer for the session as if a reply had come from > the other side. > i understand that this makes the interaction with nat a bit problematic. > On te other hand, i don't have a better solution. Makes sense. What about having the keep-alive packets take the action of the parent rule? I don't know if that is possible but it seems like it would solve the problem. A note should be added to ipfw(8) to document this behavior, as knowing keep-alive skips the firewall would have saved me a lot of headache. Looks like ip_fw2.c comments are the only place that mention this. Thanks, -James > > cheers > luigi > [snip]