From owner-freebsd-current  Tue Jun  9 22:12:59 1998
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id WAA23568
          for freebsd-current-outgoing; Tue, 9 Jun 1998 22:12:59 -0700 (PDT)
          (envelope-from owner-freebsd-current@FreeBSD.ORG)
Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA23557
          for <current@freebsd.org>; Tue, 9 Jun 1998 22:12:57 -0700 (PDT)
          (envelope-from julian@whistle.com)
Received: (from daemon@localhost)
	by alpo.whistle.com (8.8.5/8.8.5) id WAA03494
	for <current@freebsd.org>; Tue, 9 Jun 1998 22:06:47 -0700 (PDT)
Received: from current1.whistle.com(207.76.205.22)
 via SMTP by alpo.whistle.com, id smtpd003488; Wed Jun 10 05:06:42 1998
Date: Tue, 9 Jun 1998 22:06:39 -0700 (PDT)
From: Julian Elischer <julian@whistle.com>
To: current@FreeBSD.ORG
Subject: Annnonce: Transparent proxy patches
Message-ID: <Pine.BSF.3.95.980609213531.26901N-100000@current1.whistle.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


Chrisy Luke <chrisy@flix.net> posted a mixed set of patches
recently that added the ability to do transparent proxying
to FreeBSD, however there were several shortcomings.
1/ In particular you really needed 2 machines or to match 2 different
rules to be able to do some redirections.

2/ They were part of his 'multipath' patches.

I have separated them out and updted them for -current.
I have also put in some code to allow local redirection of outgoing
packets.

they allow you to do:

ipfw add 2 fwd localhost,4000 tcp from any to any 80 out xmit tun0 recv 
ed0

which would redirect any out going internet http requests from your
local network to your local web cache (squid?) at port 4000

or even

ipfw add 2 fwd localhost tcp from any to any in recv ed0

Which will 'capture' all packets coming through that machine from ed0 and
redirect them to the same port on the local machine. This would allow you
to feed connections to a whole pile of proxies and filters with a single
firewall rule.

for fun:

ipfw add 2 fwd localhost,25 tcp from any to any 23 in recv ed0

which will redirect all the telnet sessions to smtp :-)

alternatively you could redirect all outgoing http requests to a special
cache machine ("squid")..

#squid can get anywhere..
ipfw add 1 allow tcp from squid to any 80
#everyone else goes via squid 
ipfw add 2 fwd squid,80 tcp from any to any 80 out xmit tun0 recv ed0


of course machine squid needs a local redirect to capture the requests..

#gobble
ipfw add 2 fwd localhost tcp from any to any 80 in

I believe Linux has had this for a short while..
 
The patches for this are at:
http://www.freebsd.org/~julian

looking for feedback..


julian



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message