Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 02 Dec 2006 15:44:41 -0600
From:      James Halstead <>
To:        Luigi Rizzo <>
Subject:   Re: Mysterious packets with stateful ipfw+nat
Message-ID:  <>
In-Reply-To: <>
References:  <> <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Luigi Rizzo wrote:
> On Sat, Dec 02, 2006 at 09:00:13PM +0100, Max Laier wrote:
>> On Saturday 02 December 2006 19:00, James Halstead wrote:
>>> Ok, the "obvious" part that I think I was missing while it was late,
>>> was that these must be keep-alive packets generated by the firewall as
>>> the dynamic rules are about to expire. That being the case however,
>>> shouldn't these keep-alive packets take the same action as the original
>>> rule (skipto 1000 and be diverted through NAT for processing)?
>> keep-alive packets are marked with M_SKIP_FIREWALL in 
>> netinet/ip_fw2.c::send_pkt  You could try to remove that, rebuild and see 
>> if it helps.  I'm not sure what the reasoning behind this setting was and 
>> have no idea what implications it has to change it.  If it helps your 
>> setup we might want to consider a sysctl to change that behavior.
> if i remember well, the M_SKIP_FIREWALL is because otherwise they
> would reset the timer for the session as if a reply had come from
> the other side.
> i understand that this makes the interaction with nat a bit problematic.
> On te other hand, i don't have a better solution.

Makes sense.

What about having the keep-alive packets take the action of the parent 
rule? I don't know if that is possible but it seems like it would solve 
the problem.

A note should be added to ipfw(8) to document this behavior, as knowing 
keep-alive skips the firewall would have saved me a lot of headache. 
Looks like ip_fw2.c comments are the only place that mention this.


> cheers
> luigi

Want to link to this message? Use this URL: <>