Date: Wed, 15 Sep 1999 13:06:10 -0400 From: Andre@HighCaliber.com (Andre Chang) To: "Vladimir B. Grebenschikov" <vova@express.ru> Cc: <freebsd-ipfw@FreeBSD.ORG> Subject: Re: IPFW configuration as a transparent proxy Message-ID: <001301beff9c$9b98b550$1ad2d9ce@work.highcaliber.com>
index | next in thread | raw e-mail
-----Original Message----- From: Vladimir B. Grebenschikov <vova@express.ru> To: freebsd-ipfw@FreeBSD.ORG <freebsd-ipfw@FreeBSD.ORG> Date: Wednesday, September 15, 1999 2:18 AM Subject: Re: IPFW configuration as a transparent proxy >On Tue, 14 Sep 1999, Andre Chang wrote: > >> ipfw add 500 fwd 10.0.0.1,80 log tcp from 10.0.0.100 to any 80 in recv fxp1 >> >> For testing purposes I specified logging and the actual ip of the client. >> >> The logs show a matched rule when I attempt to open the browser: >> ipfw: 500 Forward to 10.0.0.1:80 TCP 10.0.0.100:1158 204.141.86.3:80 in via >> fxp1 >> >> This looks ok but then the browser returns an unable to connect message. I >> cant seem to figure out what is wrong here. Any insight will be greatly >> appreciated. Thanks for the existing comments. > >By my opinion problem is in behevior of software listening 10.0.0.1:80 >it must be not standart proxy (like squid) > >standart proxy listens one address and got requests with full URL like: >GET http://www.somwhere.net/path/here.html HTTP/1.0 I tried this format via telnet and it returns correct requests. I've been thinking that its possible that the requests get thrown into a loop because I only have that one fwd rule before the open firewall rule I'm going to add the following rule before the fwd rule: ipfw add 400 allow tcp from 10.0.0.100 to any to see if looping is the case. -- Andre Chang Network Engineer. High Caliber Systems, Inc. > >but your browser may send requests without protocol and hostname like: >GET /path/here.html HTTP/1.0 > >so software, listening 10.0.0.1:80 must got destanation IP from >request and insert it in proxy requset > >you can play with telnet to chechk how it works > >standart software for this need present in ports and called tranproxy >but it designed to work with ipfilter, not IPFW > >-- >TSB Russian Express, Moscow >Vladimir B. Grebenschikov, vova@express.ru > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the messagehelp
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001301beff9c$9b98b550$1ad2d9ce>