From owner-freebsd-pf@FreeBSD.ORG Sun Jan 2 20:04:20 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 59B7A106566C for ; Sun, 2 Jan 2011 20:04:20 +0000 (UTC) (envelope-from jay@experts-exchange.com) Received: from mail.experts-exchange.com (mail.experts-exchange.com [72.29.183.251]) by mx1.freebsd.org (Postfix) with ESMTP id 366C68FC14 for ; Sun, 2 Jan 2011 20:04:19 +0000 (UTC) Received: from mail.experts-exchange.com (localhost [127.0.0.1]) by mail.experts-exchange.com (Postfix) with ESMTP id DC3A4CA7494; Sun, 2 Jan 2011 12:04:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d= experts-exchange.com; h=content-transfer-encoding:content-type :content-type:mime-version:user-agent:from:from:subject:subject :date:date:references:in-reply-to:message-id:received:received :received; s=ee; t=1293998659; x=1295813059; bh=ndpHZRqqkYkj8zHp TLHQF/3Htg8UQ85o7c80v7ZD2uI=; b=NoHkxIrfL6SWA//+HQrr8RVhFnkg7wc+ NfwLJ88yQGTWpU8k1msuYWXIL2AeoQnEwlRYsyLcbeSVKpdNDIAoc4U3F4zEQieN LkSC8WYai0T6W/LkQXdwbIa1B9GgrzUq//8vDXFUoI4gI+zhVWzQyPuPeIdkt6df NpDewdrpvsA= X-Virus-Scanned: amavisd-new at experts-exchange.com Received: from mail.experts-exchange.com ([127.0.0.1]) by mail.experts-exchange.com (mail.experts-exchange.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PC3KVz4O+5OI; Sun, 2 Jan 2011 12:04:19 -0800 (PST) Received: from mail.experts-exchange.com (localhost [127.0.0.1]) by mail.experts-exchange.com (Postfix) with ESMTP id 9DB2ECA747E; Sun, 2 Jan 2011 12:04:19 -0800 (PST) Received: from 24.205.246.163 (SquirrelMail authenticated user jay) by mail.experts-exchange.com with HTTP; Sun, 2 Jan 2011 12:04:19 -0800 Message-ID: <5275a39aa1849d38d509a42b627dd4b0.squirrel@mail.experts-exchange.com> In-Reply-To: <4D20BAEB.10101@my.gd> References: <8fb3caa1300a9fcc5c2f23a70ade23a8.squirrel@mail.experts-exchange.com> <4D208AE2.6000402@my.gd> <3020c1e8b0ecb5e9bacb1033ddea2b3e.squirrel@mail.experts-exchange.com> <4D20BAEB.10101@my.gd> Date: Sun, 2 Jan 2011 12:04:19 -0800 From: jay@experts-exchange.com To: "Damien Fleuriot" User-Agent: SquirrelMail/1.4.20 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-pf@freebsd.org Subject: Re: transparent proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Jan 2011 20:04:20 -0000 > In other software such as HTTP that you took for example, there's this > special X-Forwarded-For header which covers this very need. Squid can talk SSL, so insertion of XFF is possible. But for other applications, XFF is of no use. > IMO you shouldn't have to tweak around with the firewall or the IP stack > to make up for a missing capability but nvm. I don't think I need to make up for a missing capability, as man 4 ip says : If the IP_BINDANY option is enabled on a SOCK_STREAM, SOCK_DGRAM or a SOCK_RAW socket, one can bind(2) to any address, even one not bound to any available network interface in the system. This functionality (in conjunction with special firewall rules) can be used for implementing a transparent proxy. The PRIV_NETINET_BINDANY privilege is needed to set this option. http://www.freebsd.org/cgi/man.cgi?query=ip&apropos=0&sektion=0&manpath=FreeBSD+8.1-RELEASE&format=html Here I want : nn:nn:nn.nnnnnn IP 127.0.0.1.51791 > 192.168.103.2.80: Flags [S], ack ... int_if="lo0" ext_if="ed0" pass in on $int_if route-to ($int_if 127.0.0.1) from 192.168.103.1 keep state But no good (it's not able to sync) : 20:02:17.282414 IP 192.168.103.2.56991 > 127.0.0.1.80: Flags [S], seq 3005214022, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val 8998630 ecr 0], length 0 20:02:20.276987 IP 192.168.103.2.56991 > 127.0.0.1.80: Flags [S], seq 3005214022, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val 8998930 ecr 0], length 0 20:02:23.477037 IP 192.168.103.2.56991 > 127.0.0.1.80: Flags [S], seq 3005214022, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val 8999250 ecr 0], length 0 20:02:26.677036 IP 192.168.103.2.56991 > 127.0.0.1.80: Flags [S], seq 3005214022, win 65535, options [mss 16344,sackOK,eol], length 0 Visualizing the result of the rule is not too keen. Thanks