Index: sys/netpfil/ipfw/ip_fw2.c
===================================================================
--- sys/netpfil/ipfw/ip_fw2.c	(revision 332885)
+++ sys/netpfil/ipfw/ip_fw2.c	(working copy)
@@ -124,6 +124,7 @@ static int default_to_accept;
 
 VNET_DEFINE(int, autoinc_step);
 VNET_DEFINE(int, fw_one_pass) = 1;
+VNET_DEFINE(int, bypass_own_packets) = 1;
 
 VNET_DEFINE(unsigned int, fw_tables_max);
 VNET_DEFINE(unsigned int, fw_tables_sets) = 0;	/* Don't use set-aware tables */
@@ -209,6 +210,9 @@ TUNABLE_INT("net.inet.ip.fw.tables_max", (int *)&d
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, static_count,
     CTLFLAG_VNET | CTLFLAG_RD, &VNET_NAME(layer3_chain.n_rules), 0,
     "Number of static rules");
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, bypass_own_packets,
+    CTLFLAG_VNET | CTLFLAG_RWTUN, &VNET_NAME(bypass_own_packets), 0,
+    "Enable firewall bypass for generated by ipfw(4) packets");
 
 #ifdef INET6
 SYSCTL_DECL(_net_inet6_ip6);
@@ -522,7 +526,8 @@ ipfw_send_abort(struct mbuf *replyto, struct ipfw_
 	plen = sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
 	tlen = hlen + plen;
 	m->m_data += max_linkhdr;
-	m->m_flags |= M_SKIP_FIREWALL;
+	if (V_bypass_own_packets)
+		m->m_flags |= M_SKIP_FIREWALL;
 	m->m_pkthdr.len = m->m_len = tlen;
 	m->m_pkthdr.rcvif = NULL;
 	bzero(m->m_data, tlen);
Index: sys/netpfil/ipfw/ip_fw_dynamic.c
===================================================================
--- sys/netpfil/ipfw/ip_fw_dynamic.c	(revision 332885)
+++ sys/netpfil/ipfw/ip_fw_dynamic.c	(working copy)
@@ -2261,7 +2261,8 @@ dyn_mgethdr(int len, uint16_t fibnum)
 #endif
 	M_SETFIB(m, fibnum);
 	m->m_data += max_linkhdr;
-	m->m_flags |= M_SKIP_FIREWALL;
+	if (V_bypass_own_packets)
+		m->m_flags |= M_SKIP_FIREWALL;
 	m->m_len = m->m_pkthdr.len = len;
 	bzero(m->m_data, len);
 	return (m);
Index: sys/netpfil/ipfw/ip_fw_private.h
===================================================================
--- sys/netpfil/ipfw/ip_fw_private.h	(revision 332885)
+++ sys/netpfil/ipfw/ip_fw_private.h	(working copy)
@@ -231,6 +231,9 @@ uint32_t ipfw_dyn_get_count(void);
 VNET_DECLARE(int, fw_one_pass);
 #define	V_fw_one_pass		VNET(fw_one_pass)
 
+VNET_DECLARE(int, bypass_own_packets);
+#define	V_bypass_own_packets	VNET(bypass_own_packets)
+
 VNET_DECLARE(int, fw_verbose);
 #define	V_fw_verbose		VNET(fw_verbose)