From owner-freebsd-current@FreeBSD.ORG Fri Mar 11 22:44:40 2005 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05AB116A4CE for ; Fri, 11 Mar 2005 22:44:40 +0000 (GMT) Received: from mail.vicor-nb.com (bigwoop.vicor-nb.com [208.206.78.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id C361143D2D for ; Fri, 11 Mar 2005 22:44:39 +0000 (GMT) (envelope-from julian@elischer.org) Received: from [208.206.78.97] (julian.vicor-nb.com [208.206.78.97]) by mail.vicor-nb.com (Postfix) with ESMTP id B340A7A423; Fri, 11 Mar 2005 14:44:39 -0800 (PST) Message-ID: <42321F57.9060708@elischer.org> Date: Fri, 11 Mar 2005 14:44:39 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.5) Gecko/20050218 X-Accept-Language: en, hu MIME-Version: 1.0 To: Julian Elischer References: <20050311223413.GA5126@mimoza.pantel.net> <42321E4F.9020904@elischer.org> In-Reply-To: <42321E4F.9020904@elischer.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: current@freebsd.org Subject: Re: Transparent proxy feature? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Mar 2005 22:44:40 -0000 responding to myself to add more.. Julian Elischer wrote: > > > Antal Rutz wrote: > >> Hi, >> >> Nowadays I have to use a special firewall software ('zorp') but >> unfortunately it only runs on linux. the reason is that only linux >> has the feature (transparent proxying) to listen on/send packets >> (sourcing) >> from other IP addresses than the machine has. (maybe with an extra kmod) >> >> The developers told me that they aren't familiar with FreeBSD but would >> port their software to it if the OS had support for that t-proxy. >> >> The question is: Is there any plan to support that thing (maybe through >> ipfw, pf or ipfilter - no idea) or is that too sick? >> >> > > There is already transparrent proxy support in FreeBSD and ahs been > for manyu years. > > it is accessed through the ipfw "fwd" option.. > > ipfw add fwd localhost,1234 tcp from {somewhere} to (somewhere) {via > some interface} > > Here's the man entry for that feature. > > fwd | forward ipaddr[,port] > Change the next-hop on matching packets to ipaddr, which > can be > an IP address in dotted quad format or a host name. The > search > terminates if this rule matches. > > If ipaddr is a local address, then matching packets will > be for- > warded to port (or the port number in the packet if one is > not > specified in the rule) on the local machine. > If ipaddr is not a local address, then the port number (if > speci- > fied) is ignored, and the packet will be forwarded to the > remote > address, using the route as found in the local routing > table for > that IP. > A fwd rule will not match layer-2 packets (those received on > ether_input, ether_output, or bridged). > The fwd action does not change the contents of the packet > at all. > In particular, the destination address remains unmodified, so > packets forwarded to another system will usually be > rejected by > that system unless there is a matching rule on that system to > capture them. For packets forwarded locally, the local > address > of the socket will be set to the original destination > address of > the packet. This makes the netstat(1) entry look rather > weird > but is intended for use with transparent proxy servers. The proxy software need only do a getsockname() to get the sockaddr to use for the forward connection. The ipfw rules need to be set so that the outgoing forward connection by the proxy is not also captured :-) > >> thanks alot. >> >> > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to > "freebsd-current-unsubscribe@freebsd.org"