Date: Sun, 24 Oct 2010 10:12:26 -0200 From: Luiz Otavio O Souza <lists.br@gmail.com> To: Eduardo Meyer <dudu.meyer@gmail.com> Cc: Brandon Gooch <jamesbrandongooch@gmail.com>, Patrick Tracanelli <eksffa@freebsdbrasil.com.br>, ipfw@freebsd.org, Julian Elischer <julian@freebsd.org>, Adrian Chadd <adrian@ucc.gu.uwa.edu.au> Subject: Re: layer2 ipfw 'fwd' support Message-ID: <B88EA57C-0AB8-482C-A953-C984B7CBB1AB@gmail.com> In-Reply-To: <AANLkTimy5E20WdpVmwug5kZ1eTJ9G7Cvt2Lee9_miVYi@mail.gmail.com> References: <AANLkTi=wHkmfDmoPrKN1SRcE9m=1_5iieAd85hQNWHs1@mail.gmail.com> <AANLkTinj8wd9AbROwRzUAUK=XraYmTDkoB3MGddqq-Tn@mail.gmail.com> <AANLkTin1vXOMPT6m8ybhNQk9G7WjDrCcSArP3Zwf65cR@mail.gmail.com> <4CAA1E7B.1020107@freebsd.org> <AANLkTikExTKMWvvDwn=rVUSqwz6UeVXi8WOSsHROQYq%2B@mail.gmail.com> <4CAA45CC.8020304@freebsd.org> <AANLkTikAd_fke1HfMgRy3h4fXpo7_DcX3E4%2BTu__3my8@mail.gmail.com> <4CAB8B35.7020703@freebsd.org> <AANLkTi=hoe%2BCaV6%2BbyagXYwzDRAHqCseh-M_44OxEeJO@mail.gmail.com> <4CACE7DE.9020106@freebsd.org> <AANLkTik2KEYACzjfTS%2BXpB3OiaJL-uYckbLbf2C0DWaS@mail.gmail.com> <AANLkTi=syThdw-%2B%2BKAbVdJLGrh2JEFUJi5ztKs9cxWFE@mail.gmail.com> <AANLkTikHcEn5yKJdTRYV4WjPkeEosWtGZvyyOeEK2%2BgZ@mail.gmail.com> <AANLkTimy5E20WdpVmwug5kZ1eTJ9G7Cvt2Lee9_miVYi@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Oct 22, 2010, at 9:49 AM, Eduardo Meyer wrote: >>>=20 >>=20 >> To be clear, are we getting to the point of having the capability in >> ipfw of doing something like this in pf: >>=20 >> ... >> pass in quick on $INT_IF route-to lo0 inet proto tcp from any to >> 127.0.0.1 port 3128 keep state >> ... >=20 > Yes, pretty much that. >=20 >>=20 >> ...thus allowing true, transparent proxying? >>=20 >> I really thought that this was possible already with ipfw :( I need = to >> do some more reading... >>=20 >> I would be very interested in obtaining details on your final setup, >> once everything is in place and fully functioning :) >=20 > Right. I'm still working on that. We have separated grat things > working perfectly. Now I want to glue it together. TPROXY with > FreeBSD's IP_BINDANY works perfectly based on L3 redirection with > IPFW. Now we can do IPFW L2 redirection/forwarding. So I want to be > able to use both togerther, TPROXY with IPFW L2 forwarding. >=20 > I am investigating the code, learning, trying some tests; since I am > not a developer, not good at hacking 3rd party code, I am trying some > dirty tricks. Unsucessfull right now but still investigating. Hi Eduardo, I've not tried yet the TPROXY setup, but something come up in my = thoughts about this... The ipfw rule i was using to test the L2 fwd was something like this: ipfw fwd 127.0.0.1,3128 tcp from not me to any 80 And this rule forwards all the 'output' traffic on the bridge interface = to lusca. nice ! But with TPROXY lusca will try to connect to http servers with the = client IP and therefore all this traffic will also match the ipfw fwd = rule ! so, we end up with a loop and the game is over... I'm not sure yet (as i'd not tested this) if this is the only problem or = how we can workaround this limitation. We probably need to 'tag' the lusca packets someway and skip the fwd = rule. Regards, Luiz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B88EA57C-0AB8-482C-A953-C984B7CBB1AB>