From owner-freebsd-ipfw Tue Sep 14 14:17:34 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by hub.freebsd.org (Postfix) with ESMTP id F414914F15 for ; Tue, 14 Sep 1999 14:17:23 -0700 (PDT) (envelope-from julian@whistle.com) Received: from current1.whistle.com (current1.whistle.com [207.76.205.22]) by alpo.whistle.com (8.9.1a/8.9.1) with SMTP id OAA34292; Tue, 14 Sep 1999 14:17:21 -0700 (PDT) Date: Tue, 14 Sep 1999 14:17:20 -0700 (PDT) From: Julian Elischer To: Andre Chang Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: IPFW configuration as a transparent proxy In-Reply-To: <028101befef6$50f47300$1ad2d9ce@work.highcaliber.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG try tcpdump to watch the packets. On Tue, 14 Sep 1999, Andre Chang wrote: > Thanks for the information, > > I however still havent figured out my problem.. here it is: > > I'm using only one interface on the machine running IPFW > (fxp1 - the machine has 2 interfaces but I'm only using one) > > the client, IPFW and the proxy machine are on the same subnet > (win98, FreeBSD 3.2-RELEASE and NT4.0 proxy respectively) > > the client's gateway is the IPFW machine > > the rule on the IPFW machine: > ipfw add 500 fwd 10.0.0.1,80 log tcp from 10.0.0.100 to any 80 in recv fxp1 > > For testing purposes I specified logging and the actual ip of the client. > > The logs show a matched rule when I attempt to open the browser: > ipfw: 500 Forward to 10.0.0.1:80 TCP 10.0.0.100:1158 204.141.86.3:80 in via > fxp1 > > This looks ok but then the browser returns an unable to connect message. I > cant seem to figure out what is wrong here. Any insight will be greatly > appreciated. Thanks for the existing comments. > > > -- Andre Chang > Network Engineer. > High Caliber Systems, Inc. > > -----Original Message----- > From: Julian Elischer > To: Andre Chang > Cc: freebsd-ipfw@FreeBSD.ORG > Date: Tuesday, September 14, 1999 2:37 PM > Subject: Re: IPFW configuration as a transparent proxy > > > >The fwd option forces a packet to be sent to: > > > > 1/ a nominated local socket > >or > > 2/ out a nominated interface tot a nominated 2nd machine. > > > >However it doesn't change the packet in any way.. this means that in case > >(2) above, the second machine will not accept the packet unless it also > >has a 'fwd' rule to make it do soi( as in case 1). If this is not the > >case, it will examine the packet and send it towards it's original > >destination. > > > >In the first case, This basically allows transparent proxy, by redirecting > >all outgoing requests to port 80 (that are not starting at the local > >machine) (i.e. requests coming in on the local interface that would > >normally be routed out your WAN interface) to be redirected to whatever > >port your proxy is listenning on. > > > >e.g. > >ipfw add 2 fwd 127.0.0.1,3137 tcp from any to any 80 out recv ed1 xmit ng0 > > > >This redirects any packets that are about to go out through ng0 (our LAN > >frame relay link), that originated on the LAN (ed1).The reson for being so > >specific is that we don't want to capture the requests that the proxy > >makes! > > > >hope this helps! > > > >julian > > > > > > > > > > > > > > > >On Tue, 14 Sep 1999, Andre Chang wrote: > > > >> Hello, > >> > >> I would like to know if this is the place to ask about configuring IPFW > to > >> serve > >> as a transparent proxy by use of the IPFW's "fwd" option. > >> > >> Is there anyone who has used this option toward this goal or something > >> similar? > >> Any response on this topic would be greatly appreciated. Thank You. > >> > >> -- Andre Chang > >> Network Engineer. > >> High Caliber Systems, Inc. > >> > >> > >> > >> > >> To Unsubscribe: send mail to majordomo@FreeBSD.org > >> with "unsubscribe freebsd-ipfw" in the body of the message > >> > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message