Date: Sat, 02 Dec 2006 15:44:41 -0600 From: James Halstead <jhalstead@fsisys.com> To: Luigi Rizzo <rizzo@icir.org> Cc: freebsd-ipfw@freebsd.org Subject: Re: Mysterious packets with stateful ipfw+nat Message-ID: <4571F3C9.7060302@fsisys.com> In-Reply-To: <20061202122121.A3343@xorpc.icir.org> References: <45711296.8010709@fsisys.com> <4571BF45.3010608@fsisys.com> <200612022100.24704.max@love2party.net> <20061202122121.A3343@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Luigi Rizzo wrote: > On Sat, Dec 02, 2006 at 09:00:13PM +0100, Max Laier wrote: >> On Saturday 02 December 2006 19:00, James Halstead wrote: >>> Ok, the "obvious" part that I think I was missing while it was late, >>> was that these must be keep-alive packets generated by the firewall as >>> the dynamic rules are about to expire. That being the case however, >>> shouldn't these keep-alive packets take the same action as the original >>> rule (skipto 1000 and be diverted through NAT for processing)? >> keep-alive packets are marked with M_SKIP_FIREWALL in >> netinet/ip_fw2.c::send_pkt You could try to remove that, rebuild and see >> if it helps. I'm not sure what the reasoning behind this setting was and >> have no idea what implications it has to change it. If it helps your >> setup we might want to consider a sysctl to change that behavior. > > if i remember well, the M_SKIP_FIREWALL is because otherwise they > would reset the timer for the session as if a reply had come from > the other side. > i understand that this makes the interaction with nat a bit problematic. > On te other hand, i don't have a better solution. Makes sense. What about having the keep-alive packets take the action of the parent rule? I don't know if that is possible but it seems like it would solve the problem. A note should be added to ipfw(8) to document this behavior, as knowing keep-alive skips the firewall would have saved me a lot of headache. Looks like ip_fw2.c comments are the only place that mention this. Thanks, -James > > cheers > luigi > [snip]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4571F3C9.7060302>