From owner-freebsd-current@FreeBSD.ORG Fri Mar 11 22:40:18 2005 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 704E016A4CE for ; Fri, 11 Mar 2005 22:40:18 +0000 (GMT) Received: from mail.vicor-nb.com (bigwoop.vicor-nb.com [208.206.78.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3406243D46 for ; Fri, 11 Mar 2005 22:40:16 +0000 (GMT) (envelope-from julian@elischer.org) Received: from [208.206.78.97] (julian.vicor-nb.com [208.206.78.97]) by mail.vicor-nb.com (Postfix) with ESMTP id 198177A423; Fri, 11 Mar 2005 14:40:16 -0800 (PST) Message-ID: <42321E4F.9020904@elischer.org> Date: Fri, 11 Mar 2005 14:40:15 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.5) Gecko/20050218 X-Accept-Language: en, hu MIME-Version: 1.0 To: Antal Rutz References: <20050311223413.GA5126@mimoza.pantel.net> In-Reply-To: <20050311223413.GA5126@mimoza.pantel.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: current@freebsd.org Subject: Re: Transparent proxy feature? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Mar 2005 22:40:18 -0000 Antal Rutz wrote: >Hi, > >Nowadays I have to use a special firewall software ('zorp') but >unfortunately it only runs on linux. the reason is that only linux >has the feature (transparent proxying) to listen on/send packets (sourcing) >from other IP addresses than the machine has. (maybe with an extra kmod) > >The developers told me that they aren't familiar with FreeBSD but would >port their software to it if the OS had support for that t-proxy. > >The question is: Is there any plan to support that thing (maybe through >ipfw, pf or ipfilter - no idea) or is that too sick? > > There is already transparrent proxy support in FreeBSD and ahs been for manyu years. it is accessed through the ipfw "fwd" option.. ipfw add fwd localhost,1234 tcp from {somewhere} to (somewhere) {via some interface} Here's the man entry for that feature. fwd | forward ipaddr[,port] Change the next-hop on matching packets to ipaddr, which can be an IP address in dotted quad format or a host name. The search terminates if this rule matches. If ipaddr is a local address, then matching packets will be for- warded to port (or the port number in the packet if one is not specified in the rule) on the local machine. If ipaddr is not a local address, then the port number (if speci- fied) is ignored, and the packet will be forwarded to the remote address, using the route as found in the local routing table for that IP. A fwd rule will not match layer-2 packets (those received on ether_input, ether_output, or bridged). The fwd action does not change the contents of the packet at all. In particular, the destination address remains unmodified, so packets forwarded to another system will usually be rejected by that system unless there is a matching rule on that system to capture them. For packets forwarded locally, the local address of the socket will be set to the original destination address of the packet. This makes the netstat(1) entry look rather weird but is intended for use with transparent proxy servers. >thanks alot. > >