From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 10 20:07:29 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DD200106566B for ; Mon, 10 Jan 2011 20:07:28 +0000 (UTC) (envelope-from jay@experts-exchange.com) Received: from mail.experts-exchange.com (mail.experts-exchange.com [72.29.183.251]) by mx1.freebsd.org (Postfix) with ESMTP id B9D3A8FC14 for ; Mon, 10 Jan 2011 20:07:28 +0000 (UTC) Received: from mail.experts-exchange.com (localhost [127.0.0.1]) by mail.experts-exchange.com (Postfix) with ESMTP id C7068CA8F01 for ; Mon, 10 Jan 2011 11:47:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d= experts-exchange.com; h=content-transfer-encoding:content-type :content-type:subject:subject:mime-version:user-agent:from:from :date:date:message-id:received:received; s=ee; t=1294688855; x= 1296503255; bh=+BTDAp9TCz4egr3dX1M3i8kjew6zP31cIN9xa7JkjOI=; b=l vGtJRuuGzxlI9GqjyY+e34C975Tb8nQHAgAqqoBNwjoq/dYyl70YInAHn75J4N86 4+MpUfgTJbUUCfHXjb5m8lfnAGkCUUlsZA4AK1aR3mIgzAbZWF4/HsVRL/lcgSxG 0LWvR3E3eyCSPxhIGwseDhq8q5OFGFXQXUXnkTyGPw= X-Virus-Scanned: amavisd-new at experts-exchange.com Received: from mail.experts-exchange.com ([127.0.0.1]) by mail.experts-exchange.com (mail.experts-exchange.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I9eJVXmMHfRF for ; Mon, 10 Jan 2011 11:47:35 -0800 (PST) Received: from [192.168.103.94] (unknown [192.168.103.94]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jay) by mail.experts-exchange.com (Postfix) with ESMTPSA id 5BCDCCA8F0C for ; Mon, 10 Jan 2011 11:47:35 -0800 (PST) Message-ID: <4D2B625B.1030403@experts-exchange.com> Date: Mon, 10 Jan 2011 11:47:39 -0800 From: Jay Corrales User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101207 Lightning/1.0b2 Thunderbird/3.1.7 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Fwd: stunnel transparent proxy X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jan 2011 20:07:29 -0000 Folks, In brief, I am trying to determine if this is possible with ipfw rules. Please see below. Thank you. -------- Original Message -------- Date: Fri, 7 Jan 2011 11:45:14 -0800 To: freebsd-hackers@freebsd.org Cc: freebsd-stable@freebsd.org, freebsd-ports@freebsd.org Subject: stunnel transparent proxy Folks, Would it be possible to devise an ipfw 'fwd' rule to pass along a socket connection with IP_BINDANY set via stunnel that forwards it to another process? The problem I'm having is the vnc service on the other side cannot reply back to the IP address because the routing does not redirect back through stunnel. I am testing configurations using apache (port 80 and 443) for convenience. Request : ext ip -> stunnel -> vnc svc Response : vnc svc X->ext ip instead of : vnc svc -> stunnel -> ext ip With stunnel's transparent set option traffic looks like : 19:31:34.162337 IP 192.168.103.69.52671> 127.0.0.1.80: Flags [S], seq 2050938762, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val 7437993 ecr 0], length 0 19:31:37.153079 IP 192.168.103.69.52671> 127.0.0.1.80: Flags [S],.. 19:31:40.351804 IP 192.168.103.69.52671> 127.0.0.1.80: Flags [S], .. 19:31:43.550543 IP 192.168.103.69.52671> 127.0.0.1.80: Flags [S], seq 2050938762, win 65535, options [mss 16344,sackOK,eol], length 0 Without transparent, traffic flows fine, and looks like : 19:32:55.883404 IP 127.0.0.1.30326> 127.0.0.1.80: Flags [S], seq 2147354729, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val 7446169 ecr 0], length 0 19:32:55.883575 IP 127.0.0.1.80> 127.0.0.1.30326: Flags [S.], seq 2770470513, ack 2147354730, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val 1229815108 ecr 7446169], length 0 19:32:55.883589 IP 127.0.0.1.30326> 127.0.0.1.80: Flags [.], ack 1, win 8960, options [nop,nop,TS val 7446169 ecr 1229815108], length 0 ... I did try and devise pf rules to redirect or rdr and nat, but neither worked. I am only vaguely familiar with ipfw, and from some of my research led me to believe it may be possible. Thanks P.S. I did post the same question earlier on freebsd-pf list as well. http://lists.freebsd.org/pipermail/freebsd-pf/2011-January/005914.html