Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 10 Jan 2011 11:47:39 -0800
From:      Jay Corrales <jay@experts-exchange.com>
To:        freebsd-ipfw@freebsd.org
Subject:   Fwd: stunnel transparent proxy
Message-ID:  <4D2B625B.1030403@experts-exchange.com>

next in thread | raw e-mail | index | archive | help
Folks,

In brief, I am trying to determine if this is possible with ipfw rules. 
Please see below.

Thank you.

-------- Original Message --------
Date: 	Fri, 7 Jan 2011 11:45:14 -0800
To: 	freebsd-hackers@freebsd.org
Cc: 	freebsd-stable@freebsd.org, freebsd-ports@freebsd.org
Subject: 	stunnel transparent proxy



Folks,

Would it be possible to devise an ipfw 'fwd' rule to pass along a socket
connection with IP_BINDANY set via stunnel that forwards it to another
process? The problem I'm having is the vnc service on the other side
cannot reply back to the IP address because the routing does not redirect
back through stunnel. I am testing configurations using apache (port 80
and 443) for convenience.

Request :

ext ip ->  stunnel ->  vnc svc

Response :

vnc svc X->ext ip

instead of :

vnc svc ->  stunnel ->  ext ip

With stunnel's transparent set option traffic looks like :

19:31:34.162337 IP 192.168.103.69.52671>  127.0.0.1.80: Flags [S], seq
2050938762, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val
7437993 ecr 0], length 0
19:31:37.153079 IP 192.168.103.69.52671>  127.0.0.1.80: Flags [S],<snip>..
19:31:40.351804 IP 192.168.103.69.52671>  127.0.0.1.80: Flags [S],<snip>  ..
19:31:43.550543 IP 192.168.103.69.52671>  127.0.0.1.80: Flags [S], seq
2050938762, win 65535, options [mss 16344,sackOK,eol], length 0

Without transparent, traffic flows fine, and looks like :

19:32:55.883404 IP 127.0.0.1.30326>  127.0.0.1.80: Flags [S], seq
2147354729, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val
7446169 ecr 0], length 0
19:32:55.883575 IP 127.0.0.1.80>  127.0.0.1.30326: Flags [S.], seq
2770470513, ack 2147354730, win 65535, options [mss 16344,nop,wscale
3,sackOK,TS val 1229815108 ecr 7446169], length 0
19:32:55.883589 IP 127.0.0.1.30326>  127.0.0.1.80: Flags [.], ack 1, win
8960, options [nop,nop,TS val 7446169 ecr 1229815108], length 0

...

I did try and devise pf rules to redirect or rdr and nat, but neither
worked. I am only vaguely familiar with ipfw, and from some of my research
led me to believe it may be possible.

Thanks

P.S. I did post the same question earlier on freebsd-pf list as well.
http://lists.freebsd.org/pipermail/freebsd-pf/2011-January/005914.html




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D2B625B.1030403>