Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 2 Jan 2011 12:04:19 -0800
From:      jay@experts-exchange.com
To:        "Damien Fleuriot" <ml@my.gd>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: transparent proxy
Message-ID:  <5275a39aa1849d38d509a42b627dd4b0.squirrel@mail.experts-exchange.com>
In-Reply-To: <4D20BAEB.10101@my.gd>
References:  <8fb3caa1300a9fcc5c2f23a70ade23a8.squirrel@mail.experts-exchange.com> <4D208AE2.6000402@my.gd> <3020c1e8b0ecb5e9bacb1033ddea2b3e.squirrel@mail.experts-exchange.com> <4D20BAEB.10101@my.gd>
next in thread | previous in thread | raw e-mail | index | archive | help 
> In other software such as HTTP that you took for example, there's this
> special X-Forwarded-For header which covers this very need.

Squid can talk SSL, so insertion of XFF is possible. But for other
applications, XFF is of no use.

> IMO you shouldn't have to tweak around with the firewall or the IP stack
> to make up for a missing capability but nvm.

I don't think I need to make up for a missing capability, as man 4 ip says :

If the IP_BINDANY option is enabled on a SOCK_STREAM, SOCK_DGRAM or a
     SOCK_RAW socket, one can bind(2) to any address, even one not bound to
     any available network interface in the system.  This functionality (in
     conjunction with special firewall rules) can be used for implementing a
     transparent proxy.  The PRIV_NETINET_BINDANY privilege is needed to set
     this option.

http://www.freebsd.org/cgi/man.cgi?query=ip&apropos=0&sektion=0&manpath=FreeBSD+8.1-RELEASE&format=html


Here I want :

nn:nn:nn.nnnnnn IP 127.0.0.1.51791 > 192.168.103.2.80: Flags [S], ack ...

int_if="lo0"
ext_if="ed0"

pass in on $int_if route-to ($int_if 127.0.0.1) from 192.168.103.1 keep state

But no good (it's not able to sync) :


20:02:17.282414 IP 192.168.103.2.56991 > 127.0.0.1.80: Flags [S], seq
3005214022, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val
8998630 ecr 0], length 0
20:02:20.276987 IP 192.168.103.2.56991 > 127.0.0.1.80: Flags [S], seq
3005214022, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val
8998930 ecr 0], length 0
20:02:23.477037 IP 192.168.103.2.56991 > 127.0.0.1.80: Flags [S], seq
3005214022, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val
8999250 ecr 0], length 0
20:02:26.677036 IP 192.168.103.2.56991 > 127.0.0.1.80: Flags [S], seq
3005214022, win 65535, options [mss 16344,sackOK,eol], length 0

Visualizing the result of the rule is not too keen.

Thanks

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5275a39aa1849d38d509a42b627dd4b0.squirrel>