From owner-freebsd-hackers@FreeBSD.ORG Fri Jan 7 20:02:28 2011 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8BDF610657C3; Fri, 7 Jan 2011 20:02:28 +0000 (UTC) (envelope-from jay@experts-exchange.com) Received: from mail.experts-exchange.com (mail.experts-exchange.com [72.29.183.251]) by mx1.freebsd.org (Postfix) with ESMTP id 694358FC1D; Fri, 7 Jan 2011 20:02:28 +0000 (UTC) Received: from mail.experts-exchange.com (localhost [127.0.0.1]) by mail.experts-exchange.com (Postfix) with ESMTP id A22E26F093C; Fri, 7 Jan 2011 11:45:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d= experts-exchange.com; h=content-transfer-encoding:content-type :content-type:mime-version:user-agent:from:from:subject:subject :date:date:message-id:received:received:received; s=ee; t= 1294429514; x=1296243914; bh=NmGQmsXS3R7cmTpulBJ7wf5eZcunzdcr69k vFGSGk84=; b=SHvM0yZ+yKX2NmIy1B0xg3wqL5fkgbYcrGbLNmi4j8M7024VyZr x584vUZgCmBy16RcyLoM3uHuvW7PyJkFChZuJUN9VfwWXuMX1ptPkTZLb9/gZBx6 GymKyAEY9s8WRTIKnYn1y5qkHlXv1kea6EFfGCIryjzRp4sCtqH2UtG8= X-Virus-Scanned: amavisd-new at experts-exchange.com Received: from mail.experts-exchange.com ([127.0.0.1]) by mail.experts-exchange.com (mail.experts-exchange.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xU8F+exIbgAk; Fri, 7 Jan 2011 11:45:14 -0800 (PST) Received: from mail.experts-exchange.com (localhost [127.0.0.1]) by mail.experts-exchange.com (Postfix) with ESMTP id 6545A6F0939; Fri, 7 Jan 2011 11:45:14 -0800 (PST) Received: from 192.168.103.176 (SquirrelMail authenticated user jay) by mail.experts-exchange.com with HTTP; Fri, 7 Jan 2011 11:45:14 -0800 Message-ID: <9b22ed5e31d4e547daf27e01d6d08528.squirrel@mail.experts-exchange.com> Date: Fri, 7 Jan 2011 11:45:14 -0800 From: jay@experts-exchange.com To: freebsd-hackers@freebsd.org User-Agent: SquirrelMail/1.4.20 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-stable@freebsd.org, freebsd-ports@freebsd.org Subject: stunnel transparent proxy X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Jan 2011 20:02:28 -0000 Folks, Would it be possible to devise an ipfw 'fwd' rule to pass along a socket connection with IP_BINDANY set via stunnel that forwards it to another process? The problem I'm having is the vnc service on the other side cannot reply back to the IP address because the routing does not redirect back through stunnel. I am testing configurations using apache (port 80 and 443) for convenience. Request : ext ip -> stunnel -> vnc svc Response : vnc svc X->ext ip instead of : vnc svc -> stunnel -> ext ip With stunnel's transparent set option traffic looks like : 19:31:34.162337 IP 192.168.103.69.52671 > 127.0.0.1.80: Flags [S], seq 2050938762, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val 7437993 ecr 0], length 0 19:31:37.153079 IP 192.168.103.69.52671 > 127.0.0.1.80: Flags [S], .. 19:31:40.351804 IP 192.168.103.69.52671 > 127.0.0.1.80: Flags [S], .. 19:31:43.550543 IP 192.168.103.69.52671 > 127.0.0.1.80: Flags [S], seq 2050938762, win 65535, options [mss 16344,sackOK,eol], length 0 Without transparent, traffic flows fine, and looks like : 19:32:55.883404 IP 127.0.0.1.30326 > 127.0.0.1.80: Flags [S], seq 2147354729, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val 7446169 ecr 0], length 0 19:32:55.883575 IP 127.0.0.1.80 > 127.0.0.1.30326: Flags [S.], seq 2770470513, ack 2147354730, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val 1229815108 ecr 7446169], length 0 19:32:55.883589 IP 127.0.0.1.30326 > 127.0.0.1.80: Flags [.], ack 1, win 8960, options [nop,nop,TS val 7446169 ecr 1229815108], length 0 ... I did try and devise pf rules to redirect or rdr and nat, but neither worked. I am only vaguely familiar with ipfw, and from some of my research led me to believe it may be possible. Thanks P.S. I did post the same question earlier on freebsd-pf list as well. http://lists.freebsd.org/pipermail/freebsd-pf/2011-January/005914.html