From owner-freebsd-ipfw@FreeBSD.ORG Fri Jan 14 17:50:47 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 49BC5106566C for ; Fri, 14 Jan 2011 17:50:47 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from out-0.mx.aerioconnect.net (out-0-0.mx.aerioconnect.net [216.240.47.60]) by mx1.freebsd.org (Postfix) with ESMTP id 2C65F8FC13 for ; Fri, 14 Jan 2011 17:50:46 +0000 (UTC) Received: from idiom.com (postfix@mx0.idiom.com [216.240.32.160]) by out-0.mx.aerioconnect.net (8.13.8/8.13.8) with ESMTP id p0EHojku016781; Fri, 14 Jan 2011 09:50:45 -0800 X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (h-67-100-89-137.snfccasy.static.covad.net [67.100.89.137]) by idiom.com (Postfix) with ESMTP id CB2752D6013; Fri, 14 Jan 2011 09:50:44 -0800 (PST) Message-ID: <4D308D16.8020103@freebsd.org> Date: Fri, 14 Jan 2011 09:51:18 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: Jay Corrales References: <4D2B625B.1030403@experts-exchange.com> In-Reply-To: <4D2B625B.1030403@experts-exchange.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.67 on 216.240.47.51 Cc: freebsd-ipfw@freebsd.org Subject: Re: Fwd: stunnel transparent proxy X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2011 17:50:47 -0000 On 1/10/11 11:47 AM, Jay Corrales wrote: > > Folks, > > Would it be possible to devise an ipfw 'fwd' rule to pass along a > socket > connection with IP_BINDANY set via stunnel that forwards it to another > process? The problem I'm having is the vnc service on the other side > cannot reply back to the IP address because the routing does not > redirect > back through stunnel. I am testing configurations using apache (port 80 > and 443) for convenience. > > Request : > > ext ip -> stunnel -> vnc svc > > Response : > > vnc svc X->ext ip > > instead of : > > vnc svc -> stunnel -> ext ip so you want the tunnel to be used in only one direction? (not sure what stunnel actually is) > > With stunnel's transparent set option traffic looks like : > > 19:31:34.162337 IP 192.168.103.69.52671> 127.0.0.1.80: Flags [S], seq > 2050938762, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val > 7437993 ecr 0], length 0 > 19:31:37.153079 IP 192.168.103.69.52671> 127.0.0.1.80: Flags > [S],.. > 19:31:40.351804 IP 192.168.103.69.52671> 127.0.0.1.80: Flags > [S], .. > 19:31:43.550543 IP 192.168.103.69.52671> 127.0.0.1.80: Flags [S], seq > 2050938762, win 65535, options [mss 16344,sackOK,eol], length 0 well there can be a thousand reasons that there is no response.. where it the trace taken? on the server?, client? > > Without transparent, traffic flows fine, and looks like : > > 19:32:55.883404 IP 127.0.0.1.30326> 127.0.0.1.80: Flags [S], seq > 2147354729, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val > 7446169 ecr 0], length 0 > 19:32:55.883575 IP 127.0.0.1.80> 127.0.0.1.30326: Flags [S.], seq > 2770470513, ack 2147354730, win 65535, options [mss 16344,nop,wscale > 3,sackOK,TS val 1229815108 ecr 7446169], length 0 > 19:32:55.883589 IP 127.0.0.1.30326> 127.0.0.1.80: Flags [.], ack 1, > win > 8960, options [nop,nop,TS val 7446169 ecr 1229815108], length 0 127.0.0.1 <--> 127.0.0.1 is of limited usefulness :-) > > ... > > I did try and devise pf rules to redirect or rdr and nat, but neither > worked. I am only vaguely familiar with ipfw, and from some of my > research > led me to believe it may be possible. > > Thanks > > P.S. I did post the same question earlier on freebsd-pf list as well. > http://lists.freebsd.org/pipermail/freebsd-pf/2011-January/005914.html I don't really understand what you want to do with stunnel and what you hope to achieve. > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >