Index: sys/netpfil/ipfw/ip_fw2.c
===================================================================
--- sys/netpfil/ipfw/ip_fw2.c	(revision 330016)
+++ sys/netpfil/ipfw/ip_fw2.c	(working copy)
@@ -112,6 +112,9 @@ static VNET_DEFINE(int, fw_deny_unknown_exthdrs);
 static VNET_DEFINE(int, fw_permit_single_frag6) = 1;
 #define	V_fw_permit_single_frag6	VNET(fw_permit_single_frag6)
 
+static VNET_DEFINE(int, bypass_own_packets) = 1;
+#define	V_bypass_own_packets		VNET(bypass_own_packets)
+
 #ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
 static int default_to_accept = 1;
 #else
@@ -205,6 +208,9 @@ TUNABLE_INT("net.inet.ip.fw.tables_max", (int *)&d
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, static_count,
     CTLFLAG_VNET | CTLFLAG_RD, &VNET_NAME(layer3_chain.n_rules), 0,
     "Number of static rules");
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, bypass_own_packets,
+    CTLFLAG_VNET | CTLFLAG_RWTUN, &VNET_NAME(bypass_own_packets), 0,
+    "Enable firewall bypass for generated by ipfw(4) packets");
 
 #ifdef INET6
 SYSCTL_DECL(_net_inet6_ip6);
@@ -519,7 +525,8 @@ ipfw_send_pkt(struct mbuf *replyto, struct ipfw_fl
 	dir = ((flags & (TH_SYN | TH_RST)) == TH_SYN);
 
 	m->m_data += max_linkhdr;
-	m->m_flags |= M_SKIP_FIREWALL;
+	if (V_bypass_own_packets)
+		m->m_flags |= M_SKIP_FIREWALL;
 	m->m_pkthdr.len = m->m_len = len;
 	m->m_pkthdr.rcvif = NULL;
 	bzero(m->m_data, len);