Date: Fri, 14 Jan 2011 09:51:18 -0800 From: Julian Elischer <julian@freebsd.org> To: Jay Corrales <jay@experts-exchange.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: Fwd: stunnel transparent proxy Message-ID: <4D308D16.8020103@freebsd.org> In-Reply-To: <4D2B625B.1030403@experts-exchange.com> References: <4D2B625B.1030403@experts-exchange.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1/10/11 11:47 AM, Jay Corrales wrote: > > Folks, > > Would it be possible to devise an ipfw 'fwd' rule to pass along a > socket > connection with IP_BINDANY set via stunnel that forwards it to another > process? The problem I'm having is the vnc service on the other side > cannot reply back to the IP address because the routing does not > redirect > back through stunnel. I am testing configurations using apache (port 80 > and 443) for convenience. > > Request : > > ext ip -> stunnel -> vnc svc > > Response : > > vnc svc X->ext ip > > instead of : > > vnc svc -> stunnel -> ext ip so you want the tunnel to be used in only one direction? (not sure what stunnel actually is) > > With stunnel's transparent set option traffic looks like : > > 19:31:34.162337 IP 192.168.103.69.52671> 127.0.0.1.80: Flags [S], seq > 2050938762, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val > 7437993 ecr 0], length 0 > 19:31:37.153079 IP 192.168.103.69.52671> 127.0.0.1.80: Flags > [S],<snip>.. > 19:31:40.351804 IP 192.168.103.69.52671> 127.0.0.1.80: Flags > [S],<snip> .. > 19:31:43.550543 IP 192.168.103.69.52671> 127.0.0.1.80: Flags [S], seq > 2050938762, win 65535, options [mss 16344,sackOK,eol], length 0 well there can be a thousand reasons that there is no response.. where it the trace taken? on the server?, client? > > Without transparent, traffic flows fine, and looks like : > > 19:32:55.883404 IP 127.0.0.1.30326> 127.0.0.1.80: Flags [S], seq > 2147354729, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val > 7446169 ecr 0], length 0 > 19:32:55.883575 IP 127.0.0.1.80> 127.0.0.1.30326: Flags [S.], seq > 2770470513, ack 2147354730, win 65535, options [mss 16344,nop,wscale > 3,sackOK,TS val 1229815108 ecr 7446169], length 0 > 19:32:55.883589 IP 127.0.0.1.30326> 127.0.0.1.80: Flags [.], ack 1, > win > 8960, options [nop,nop,TS val 7446169 ecr 1229815108], length 0 127.0.0.1 <--> 127.0.0.1 is of limited usefulness :-) > > ... > > I did try and devise pf rules to redirect or rdr and nat, but neither > worked. I am only vaguely familiar with ipfw, and from some of my > research > led me to believe it may be possible. > > Thanks > > P.S. I did post the same question earlier on freebsd-pf list as well. > http://lists.freebsd.org/pipermail/freebsd-pf/2011-January/005914.html I don't really understand what you want to do with stunnel and what you hope to achieve. > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D308D16.8020103>