transparent proxy
jay at experts-exchange.com
jay at experts-exchange.com
Sun Jan 2 20:04:20 UTC 2011
> In other software such as HTTP that you took for example, there's this
> special X-Forwarded-For header which covers this very need.
Squid can talk SSL, so insertion of XFF is possible. But for other
applications, XFF is of no use.
> IMO you shouldn't have to tweak around with the firewall or the IP stack
> to make up for a missing capability but nvm.
I don't think I need to make up for a missing capability, as man 4 ip says :
If the IP_BINDANY option is enabled on a SOCK_STREAM, SOCK_DGRAM or a
SOCK_RAW socket, one can bind(2) to any address, even one not bound to
any available network interface in the system. This functionality (in
conjunction with special firewall rules) can be used for implementing a
transparent proxy. The PRIV_NETINET_BINDANY privilege is needed to set
this option.
http://www.freebsd.org/cgi/man.cgi?query=ip&apropos=0&sektion=0&manpath=FreeBSD+8.1-RELEASE&format=html
Here I want :
nn:nn:nn.nnnnnn IP 127.0.0.1.51791 > 192.168.103.2.80: Flags [S], ack ...
int_if="lo0"
ext_if="ed0"
pass in on $int_if route-to ($int_if 127.0.0.1) from 192.168.103.1 keep state
But no good (it's not able to sync) :
20:02:17.282414 IP 192.168.103.2.56991 > 127.0.0.1.80: Flags [S], seq
3005214022, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val
8998630 ecr 0], length 0
20:02:20.276987 IP 192.168.103.2.56991 > 127.0.0.1.80: Flags [S], seq
3005214022, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val
8998930 ecr 0], length 0
20:02:23.477037 IP 192.168.103.2.56991 > 127.0.0.1.80: Flags [S], seq
3005214022, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val
8999250 ecr 0], length 0
20:02:26.677036 IP 192.168.103.2.56991 > 127.0.0.1.80: Flags [S], seq
3005214022, win 65535, options [mss 16344,sackOK,eol], length 0
Visualizing the result of the rule is not too keen.
Thanks
More information about the freebsd-pf
mailing list