From owner-freebsd-net Thu Dec 27 11:40:56 2001 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id 97FDB37B417 for ; Thu, 27 Dec 2001 11:40:11 -0800 (PST) Received: from InterJet.elischer.org ([12.232.206.8]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20011227194011.DOJB6450.rwcrmhc52.attbi.com@InterJet.elischer.org>; Thu, 27 Dec 2001 19:40:11 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id LAA88689; Thu, 27 Dec 2001 11:31:23 -0800 (PST) Date: Thu, 27 Dec 2001 11:31:22 -0800 (PST) From: Julian Elischer To: Henry Su Cc: freebsd-net@FreeBSD.ORG Subject: RE: socket call in the kernel In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 27 Dec 2001, Henry Su wrote: > Thanks a lot Julian. Please let me know if u need more info. > > > My goal is using test2 as authentication server, when http request pass > through test2 box, test2 will redirect to an authentication url on itself. > > _________ ___________________ > | |crossover cable | | > |test1 |---------------->|test2(ipfw,proxy) |----->router->Internet > |_________| |__________________| X.1.1.3 X.1.1.2 > > > test2 has ipfw and a proxy server for redirection, it is configured as a > bridge, one interface has ip address, one interface does not, which test1 is > connected to. Assume dc1 on the router side of test2 and dc2 on the crossover side of test2 is the router doing nat? is X.x.x.x. a routable address? I presume that X.1.1.3 AND X.1.1.2 are on the same logical net. Are they both routable addresses? firstly, bridging is a new factor. you didn't mention that before.. I am not sure how bridging will interract with everything else. What does netstat -aA show on test2? Is the server bound to an address? i.e. do you bind() the server to a particular address? if so which? Why are you bridging? do you want people on test1 to authenticate, or people coming in from the internet? (you need to specify what you want to redirect..) > > > The rule for forwarding is: > > #Forward no valid http packet to local authentication > ${fwcmd} add 65534 fwd localhost,8800 log tcp from any to any 80 > > > > For example, here's 2 cases, one works, one failed. > > Failed case: from test1, "telnet www.yahoo.com 80", from the test2 ipfw log, > you can see the packet is forwarded (e.g "Dec 27 00:34:25 test2 /kernel: > ipfw: 65534 Forward to 127.0.0.1:8800 TCP 216.69.69.248:1101 > 129.219.10.10:80 in via dc2"). > but the proxy server on test2 seems did not get the forwarded packet. > > Worked case: from test1, "telnet test2 80", it just works. The proxy server > got the packet, and send redirection message to test1: " I wonder if someone has broken fwd? if you do the following: on test2, telnet localhost 80 and telnet www.freebsd.org 80 what happens? > > My guess is: > > The proxy socket server can only listen to packet's dst ip address that > matches its own ip address. The proxy server is written by myself, it's java > socket server, when it receive any packet at port 8800, it sends back some > http redirection > information. > No the address that the server will be matched against is the address in the fwd rule, and not the address in the packet. roughly it does: tempaddr = address_from_packet if (ipfw matches a fwd rule) tempaddr = address_in_rule find socket that matches tempaddr. It could be that the bridging is somehow confusing the forwarding.. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message