Date: Mon, 9 Jun 2003 01:05:07 +0300 From: Ruslan Ermilov <ru@freebsd.org> To: Vaclav Petricek <petricek@sec.ms.mff.cuni.cz> Cc: freebsd-security@freebsd.org Subject: Re: redirect unauthorized users to a login page (natd as a transparent proxy) Message-ID: <20030608220507.GA84706@sunbay.com> In-Reply-To: <Pine.BSF.4.50.0306082233300.86521-100000@sec.ms.mff.cuni.cz> References: <Pine.BSF.4.50.0306082233300.86521-100000@sec.ms.mff.cuni.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
--EuxKj2iCbKjpUGkD
Content-Type: multipart/mixed; boundary="vtzGhvizbBRQ85DL"
Content-Disposition: inline
--vtzGhvizbBRQ85DL
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Jun 08, 2003 at 10:35:47PM +0200, Vaclav Petricek wrote:
>=20
> Hello
>=20
> I am trying to redirect all http traffic of unauthorized wifi users on a
> wireless hotspot to a login page. The problem I have is that I can not
> disable the regular address translation (I want the source address to stay
> the same).
>=20
> 10.0.0.7 is the wifi client
> 195.250.155.29 is the web wifi user tries to access from his browser
> 195.113.17.94 is my login page
> 10.0.0.1 is the wifi interface on the server
>=20
> What happens is
>=20
> In [TCP] [TCP] 10.0.0.7:1036 -> 195.250.155.29:80 aliased to
> [TCP] 10.0.0.1:1036 -> 195.113.17.94:80
>=20
> The natd configuration file:
> -------------------------------------------------------------------------
> interface wi0
> port 1234
> #proxy_only yes
> reverse
> proxy_rule port 80 server 195.113.17.94:80
> -------------------------------------------------------------------------
>=20
> Natd was run as natd -f /etc/natd.conf -v with
> 00010 divert 1234 tcp from any to any via wi0
>=20
> I was hoping proxy_only will do the trick but it does not seem to have
> any impact and the source address is changed anyway.
>=20
> A quick glance at the source did not help much to my understanding of the
> proxy_only option.
>=20
Confirmed as a bug. The attached patch worked for me,
please test it. You'll have to recompile and reinstall
libalias(3), then recompile and reinstall natd(8) with
new library.
Cheers,
--=20
Ruslan Ermilov Sysadmin and DBA,
ru@sunbay.com Sunbay Software Ltd,
ru@FreeBSD.org FreeBSD committer
--vtzGhvizbBRQ85DL
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=p
Content-Transfer-Encoding: quoted-printable
Index: alias.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/lib/libalias/alias.c,v
retrieving revision 1.36
diff -u -p -r1.36 alias.c
--- alias.c 23 Jul 2002 00:16:19 -0000 1.36
+++ alias.c 8 Jun 2003 21:56:06 -0000
@@ -1057,7 +1057,8 @@ TcpAliasOut(struct ip *pip, int maxpacke
=20
link =3D FindUdpTcpOut(pip->ip_src, pip->ip_dst,
tc->th_sport, tc->th_dport,
- IPPROTO_TCP, 1);
+ IPPROTO_TCP,
+ !(packetAliasMode & PKT_ALIAS_PROXY_ONLY));
if (link !=3DNULL)
{
u_short alias_port;
--vtzGhvizbBRQ85DL--
--EuxKj2iCbKjpUGkD
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE+47MTUkv4P6juNwoRAsn+AKCHkWjieyXZvyRYzPJngRtWGF85TwCeKzqv
GQY7xoDE76TXhD85NnP1ass=
=8h8c
-----END PGP SIGNATURE-----
--EuxKj2iCbKjpUGkD--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030608220507.GA84706>