From owner-freebsd-pf@FreeBSD.ORG Thu Feb 5 02:51:25 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A78B61065672 for ; Thu, 5 Feb 2009 02:51:25 +0000 (UTC) (envelope-from mij@bitchx.it) Received: from voodoo.publicshout.org (heroin.publicshout.org [81.208.58.150]) by mx1.freebsd.org (Postfix) with SMTP id E081A8FC1C for ; Thu, 5 Feb 2009 02:51:24 +0000 (UTC) (envelope-from mij@bitchx.it) Received: (qmail 58891 invoked by uid 0); 5 Feb 2009 02:24:42 -0000 Received: from unknown (HELO ?192.168.10.172?) (m.mazzucchi@keencons.com@unknown) by unknown with SMTP; 5 Feb 2009 02:24:42 -0000 Message-Id: <397AAEFD-1C61-4EB4-8913-461A43EA9E2C@bitchx.it> From: Mij To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Thu, 5 Feb 2009 03:24:41 +0100 X-Mailer: Apple Mail (2.930.3) Subject: bridge and PF for transparent proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Feb 2009 02:51:25 -0000 Hello folks, On a FBSD7.1 box I would like to implement this sort of "transparent reverse proxy": inet <---> (vr0)(vr1) <---> host such box is expected to 1) pass transparently anything from inet to host and viceversa 2) redirect some of such traffic (some well-defined TCP connections) from "inet" to an application listening on 127.0.0.1 on the box 3) make this application connect to "host" pretending to be the original source -- that is, using as source address the address of the client that connected to it from inet I use bridge(4) over vr0 and vr1 to implement 1). I use something similar to http://marc.info/?l=openbsd-misc&m=108089194621750&w=2 for 2). Although from the network perspective 3) seems easily feasible as well, I cannot think of a reasonable setup on the box host for it. Anyone has some advice for it?