From owner-freebsd-security@FreeBSD.ORG  Sun Jun  8 13:28:59 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B214937B401
	for <freebsd-security@freebsd.org>;
	Sun,  8 Jun 2003 13:28:59 -0700 (PDT)
Received: from sec.ms.mff.cuni.cz (sec.ms.mff.cuni.cz [195.113.17.100])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D084E43FD7
	for <freebsd-security@freebsd.org>;
	Sun,  8 Jun 2003 13:28:58 -0700 (PDT)
	(envelope-from petricek@sec.ms.mff.cuni.cz)
Received: from localhost (localhost [127.0.0.1])
	by sec.ms.mff.cuni.cz (8.12.8/8.12.8) with ESMTP id h58KZlIV086525
	for <freebsd-security@freebsd.org>;
	Sun, 8 Jun 2003 22:35:47 +0200 (CEST)
	(envelope-from petricek@sec.ms.mff.cuni.cz)
Date: Sun, 8 Jun 2003 22:35:47 +0200 (CEST)
From: Vaclav Petricek <petricek@sec.ms.mff.cuni.cz>
To: freebsd-security@freebsd.org
Message-ID: <Pine.BSF.4.50.0306082233300.86521-100000@sec.ms.mff.cuni.cz>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: 
 redirect unauthorized users to a login page (natd as a transparent
 proxy) 
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Jun 2003 20:29:00 -0000


Hello

I am trying to redirect all http traffic of unauthorized wifi users on a
wireless hotspot to a login page. The problem I have is that I can not
disable the regular address translation (I want the source address to stay
the same).

10.0.0.7       is the wifi client
195.250.155.29 is the web wifi user tries to access from his browser
195.113.17.94  is my login page
10.0.0.1       is the wifi interface on the server

What happens is

In  [TCP]  [TCP] 10.0.0.7:1036 -> 195.250.155.29:80 aliased to
           [TCP] 10.0.0.1:1036 -> 195.113.17.94:80

The natd configuration file:
-------------------------------------------------------------------------
interface wi0
port 1234
#proxy_only yes
reverse
proxy_rule port 80 server 195.113.17.94:80
-------------------------------------------------------------------------

Natd was run as natd -f /etc/natd.conf -v with
00010 divert 1234 tcp from any to any via wi0

I was hoping proxy_only will do the trick but it does not seem to have
any impact and the source address is changed anyway.

A quick glance at the source did not help much to my understanding of the
proxy_only option.

Thank you very moch for any hints,

Vaclav