From owner-freebsd-questions@FreeBSD.ORG Fri Aug 31 17:27:28 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9815D16A4C0 for ; Fri, 31 Aug 2007 17:27:28 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from snoogles.rachie.is-a-geek.net (66-230-99-27-cdsl-rb1.nwc.acsalaska.net [66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id 5CE8E13C4B4 for ; Fri, 31 Aug 2007 17:27:28 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from localhost (localhost [127.0.0.1]) by snoogles.rachie.is-a-geek.net (Postfix) with ESMTP id CEEFA1CC38 for ; Fri, 31 Aug 2007 09:27:19 -0800 (AKDT) From: Mel To: freebsd-questions@freebsd.org Date: Fri, 31 Aug 2007 19:27:18 +0200 User-Agent: KMail/1.9.7 References: <20070831202729.7e4c0f7a@localhost> <20070901022726.1e629b2c@localhost> <200708311912.43272.fbsd.questions@rachie.is-a-geek.net> In-Reply-To: <200708311912.43272.fbsd.questions@rachie.is-a-geek.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200708311927.18748.fbsd.questions@rachie.is-a-geek.net> Subject: Re: pf rdr + netsed : reinject loop... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Aug 2007 17:27:28 -0000 On Friday 31 August 2007 19:12:42 Mel wrote: > On Friday 31 August 2007 18:27:26 Norberto Meijome wrote: > > On Fri, 31 Aug 2007 17:40:06 +0200 > > > > Mel wrote: > > > > netsed's output is (part ) : > > > > --- > > > > Script started on Fri Aug 31 07:52:12 2007 > > > > [root@localhost /usr/home/luser]# netsed tcp 10101 0 0 s/FOO/BAR > > > > netsed 0.01b by Michal Zalewski > > > > [*] Parsing rule s/FOO/BAR ... > > > > [+] Loaded 1 rules... > > > > [+] Listening on port 10101/tcp. > > > > [+] Using dynamic (transparent proxy) forwarding. > > > > > > > > [+] Got incoming connection from 172.16.82.81:1178 to 127.0.0.1:10101 > > > > [*] Forwarding connection to 127.0.0.1:10101 > > > > [+] Got incoming connection from 127.0.0.1:51337 to 127.0.0.1:10101 > > > > [*] Forwarding connection to 127.0.0.1:10101 > > > > [+] Caught client -> server packet. > > > > > > I think you need to figure out what this 'transparent proxy mode' of > > > netsed does, cause it should under no circumstances forward to > > > itself... > > > > it simply forwards the packet to the dst_ip:dst_port it originally had. > > But, as Daniel H pointed out, those packets had been rewritten by pf's > > rdr to go TO netsed's ip:port .... hence netsed wont change anything. It > > works fine in non-proxy mode, but as I said in my first msg, that is not > > an option for me. > > OK, I just tried to verify if rdr rewrites dest and indeed it does from > netsed's point of view (didn't know my machine could go to 100 load and > still catch SIGINT). > > Now I wonder how ftp-proxy(8) ever gets the server address. Time to view > the source. Ah, here we go: /usr/src/contrib/pf/ftp-proxy/util.c:115: /* * Open the pf device and lookup the mapping pair to find * the original address we were supposed to connect to. */ fd = open("/dev/pf", O_RDWR); if (fd == -1) { syslog(LOG_ERR, "cannot open /dev/pf (%m)"); exit(EX_UNAVAILABLE); } if (ioctl(fd, DIOCNATLOOK, &natlook) == -1) { syslog(LOG_INFO, "pf nat lookup failed %s:%hu (%m)", inet_ntoa(client_sa_ptr->sin_addr), ntohs(client_sa_ptr->sin_port)); close(fd); return(-1); } close(fd); So, in short, netsed needs extra code to deal with pf (and probably others since only a linux iptables example is listed in README) and the port maintainer should add a warning that transparent proxy mode does not (yet) work with pf/ipfw/ipf. In addition you need write access to /dev/pf :) -- Mel