Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 9 Jun 2003 01:05:07 +0300
From:      Ruslan Ermilov <ru@freebsd.org>
To:        Vaclav Petricek <petricek@sec.ms.mff.cuni.cz>
Cc:        freebsd-security@freebsd.org
Subject:   Re: redirect unauthorized users to a login page (natd as a transparent proxy)
Message-ID:  <20030608220507.GA84706@sunbay.com>
In-Reply-To: <Pine.BSF.4.50.0306082233300.86521-100000@sec.ms.mff.cuni.cz>
References:  <Pine.BSF.4.50.0306082233300.86521-100000@sec.ms.mff.cuni.cz>

next in thread | previous in thread | raw e-mail | index | archive | help

--EuxKj2iCbKjpUGkD
Content-Type: multipart/mixed; boundary="vtzGhvizbBRQ85DL"
Content-Disposition: inline


--vtzGhvizbBRQ85DL
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Jun 08, 2003 at 10:35:47PM +0200, Vaclav Petricek wrote:
>=20
> Hello
>=20
> I am trying to redirect all http traffic of unauthorized wifi users on a
> wireless hotspot to a login page. The problem I have is that I can not
> disable the regular address translation (I want the source address to stay
> the same).
>=20
> 10.0.0.7       is the wifi client
> 195.250.155.29 is the web wifi user tries to access from his browser
> 195.113.17.94  is my login page
> 10.0.0.1       is the wifi interface on the server
>=20
> What happens is
>=20
> In  [TCP]  [TCP] 10.0.0.7:1036 -> 195.250.155.29:80 aliased to
>            [TCP] 10.0.0.1:1036 -> 195.113.17.94:80
>=20
> The natd configuration file:
> -------------------------------------------------------------------------
> interface wi0
> port 1234
> #proxy_only yes
> reverse
> proxy_rule port 80 server 195.113.17.94:80
> -------------------------------------------------------------------------
>=20
> Natd was run as natd -f /etc/natd.conf -v with
> 00010 divert 1234 tcp from any to any via wi0
>=20
> I was hoping proxy_only will do the trick but it does not seem to have
> any impact and the source address is changed anyway.
>=20
> A quick glance at the source did not help much to my understanding of the
> proxy_only option.
>=20
Confirmed as a bug.  The attached patch worked for me,
please test it.  You'll have to recompile and reinstall
libalias(3), then recompile and reinstall natd(8) with
new library.


Cheers,
--=20
Ruslan Ermilov		Sysadmin and DBA,
ru@sunbay.com		Sunbay Software Ltd,
ru@FreeBSD.org		FreeBSD committer

--vtzGhvizbBRQ85DL
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=p
Content-Transfer-Encoding: quoted-printable

Index: alias.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/lib/libalias/alias.c,v
retrieving revision 1.36
diff -u -p -r1.36 alias.c
--- alias.c	23 Jul 2002 00:16:19 -0000	1.36
+++ alias.c	8 Jun 2003 21:56:06 -0000
@@ -1057,7 +1057,8 @@ TcpAliasOut(struct ip *pip, int maxpacke
=20
     link =3D FindUdpTcpOut(pip->ip_src, pip->ip_dst,
                          tc->th_sport, tc->th_dport,
-                         IPPROTO_TCP, 1);
+                         IPPROTO_TCP,
+                         !(packetAliasMode & PKT_ALIAS_PROXY_ONLY));
     if (link !=3DNULL)
     {
         u_short alias_port;

--vtzGhvizbBRQ85DL--

--EuxKj2iCbKjpUGkD
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+47MTUkv4P6juNwoRAsn+AKCHkWjieyXZvyRYzPJngRtWGF85TwCeKzqv
GQY7xoDE76TXhD85NnP1ass=
=8h8c
-----END PGP SIGNATURE-----

--EuxKj2iCbKjpUGkD--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030608220507.GA84706>