From owner-freebsd-ipfw Wed Sep 15 10:48:36 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by hub.freebsd.org (Postfix) with ESMTP id DAF4D14D03 for ; Wed, 15 Sep 1999 10:48:33 -0700 (PDT) (envelope-from julian@whistle.com) Received: from home.elischer.org (home.elischer.org [207.76.204.203]) by alpo.whistle.com (8.9.1a/8.9.1) with ESMTP id KAA67489; Wed, 15 Sep 1999 10:48:23 -0700 (PDT) Date: Wed, 15 Sep 1999 10:48:32 -0700 (PDT) From: Julian Elischer X-Sender: julian@home.elischer.org To: "Vladimir B. Grebenschikov" Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: IPFW configuration as a transparent proxy In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG squid has a set of patches to allow this to be done.. (in fact it is standard, but you must compile it in). The Linux transparent proxy changes are about the same.... On Wed, 15 Sep 1999, Vladimir B. Grebenschikov wrote: > On Tue, 14 Sep 1999, Andre Chang wrote: > > > ipfw add 500 fwd 10.0.0.1,80 log tcp from 10.0.0.100 to any 80 in recv fxp1 > > > > For testing purposes I specified logging and the actual ip of the client. > > > > The logs show a matched rule when I attempt to open the browser: > > ipfw: 500 Forward to 10.0.0.1:80 TCP 10.0.0.100:1158 204.141.86.3:80 in via > > fxp1 > > > > This looks ok but then the browser returns an unable to connect message. I > > cant seem to figure out what is wrong here. Any insight will be greatly > > appreciated. Thanks for the existing comments. > > By my opinion problem is in behevior of software listening 10.0.0.1:80 > it must be not standart proxy (like squid) > > standart proxy listens one address and got requests with full URL like: > GET http://www.somwhere.net/path/here.html HTTP/1.0 > > but your browser may send requests without protocol and hostname like: > GET /path/here.html HTTP/1.0 > > so software, listening 10.0.0.1:80 must got destanation IP from > request and insert it in proxy requset > > you can play with telnet to chechk how it works > > standart software for this need present in ports and called tranproxy > but it designed to work with ipfilter, not IPFW > > -- > TSB Russian Express, Moscow > Vladimir B. Grebenschikov, vova@express.ru > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message