Date: Fri, 6 Jan 2012 02:51:07 +0000 From: Gerald McNulty <gmnt99@gmail.com> To: freebsd-pf@freebsd.org Subject: Basic transparent filtering with pf Message-ID: <CAD%2B_bPy94dRyzfQDEnzXB%2BsffVnO6AhTMOidJwHPSO%2B=tkYBFQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello, I am trying to get a basic transparent proxy to work with pf under FreeBSD. By "transparent", I mean that the client IP address is presented to the destination server, not just that the proxy is accessed automatically through rdr rules. The proxy is written in C and works correctly in terminating the client -> proxy connection and the proxy -> server connection with no user intervention. Here is an example architecture, all IP addresses are valid routable, no RFC1918. client (100.100.100.5) <-> (100.100.100.1 $int_if) router/proxy (200.200.200.1 $ext_if) <--> {internet} <--> (50.50.50.50) server Initial pf.conf lines: rdr pass on $int_if inet proto tcp from any to any -> $int_if port 7890 pass in quick on $int_if pass in quick on $ext_if pass out keep state Step 1: Client initiates TCP connection to server. Proxy code on $int_if:7890 accept()'s connection, creates a new TCP connection between $ext_if and server. This works as expected - the server sees 200.200.200.1 ($ext_if) as the peer address while the client sees the true server's address (50.50.50.50) as the peer Step2: Update the outbound connection request with a setsockopt(fd, IPPROTO_IP, IP_BINDANY, &on, sizeof on)) and a bind() to the client's IP address (100.100.100.5), correctly retrieved with ioctl(DIOCNATLOOK). Now connect. The syn packet is sent, but the returning syn+ack is never answered and the proxy socket never receives any data. A tcpdump from the proxy is below: 02:01:31.457764 IP 100.100.100.5.26023 > 50.50.50.50.http: Flags [S], seq 2436001586, win 65535, options [mss 1460,sackOK,eol], length 0 02:01:31.570653 IP 50.50.50.50.http > 100.100.100.5.26023: Flags [S.], seq 2750220640, ack 2436001587, win 65535, options [mss 1460,nop,wscale 3,sackOK,eol], length 0 02:01:34.569454 IP 50.50.50.50.http > 100.100.100.5.26023: Flags [S.], seq 2750220640, ack 2436001587, win 65535, options [mss 1460,nop,wscale 3,sackOK,eol], length 0 02:01:40.568830 IP 50.50.50.50.http > 100.100.100.5.26023: Flags [S.], seq 2750220640, ack 2436001587, win 65535, options [mss 1460,nop,wscale 3,sackOK,eol], length 0 02:01:43.656081 IP 100.100.100.5.26023 > 50.50.50.50.http: Flags [S], seq 2436001586, win 65535, options [mss 1460,sackOK,eol], length 0 02:01:43.768978 IP 50.50.50.50.http > 100.100.100.5.26023: Flags [S.], seq 2750220640, ack 2436001587, win 65535, options [mss 1460,nop,wscale 3,sackOK,eol], length 0 02:01:46.768123 IP 50.50.50.50.http > 100.100.100.5.26023: Flags [S.], seq 2750220640, ack 2436001587, win 65535, options [mss 1460,nop,wscale 3,sackOK,eol], length 0 02:01:52.767514 IP 50.50.50.50.http > 100.100.100.5.26023: Flags [S.], seq 2750220640, ack 2436001587, win 65535, options [mss 1460,nop,wscale 3,sackOK,eol], length 0 02:02:04.766253 IP 50.50.50.50.http > 100.100.100.5.26023: Flags [S.], seq 2750220640, ack 2436001587, win 65535, options [mss 1460,nop,wscale 3,sackOK,eol], length 0 Is this something that requires further pf rules? Or something in the C code? Any guidance would be much appreciated. -- Gerald McNulty
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAD%2B_bPy94dRyzfQDEnzXB%2BsffVnO6AhTMOidJwHPSO%2B=tkYBFQ>