From owner-freebsd-pf@FreeBSD.ORG Sun Jan 2 04:55:33 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 45B35106564A for ; Sun, 2 Jan 2011 04:55:33 +0000 (UTC) (envelope-from jay@experts-exchange.com) Received: from mail.experts-exchange.com (mail.experts-exchange.com [72.29.183.251]) by mx1.freebsd.org (Postfix) with ESMTP id 24A2A8FC0A for ; Sun, 2 Jan 2011 04:55:32 +0000 (UTC) Received: from mail.experts-exchange.com (localhost [127.0.0.1]) by mail.experts-exchange.com (Postfix) with ESMTP id A5955CA72FA; Sat, 1 Jan 2011 20:38:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d= experts-exchange.com; h=content-transfer-encoding:content-type :content-type:mime-version:user-agent:from:from:subject:subject :date:date:message-id:received:received:received; s=ee; t= 1293943111; x=1295757511; bh=VOM9YHPz/gOEIj5PFYcCGe/yqE4c73gy6yK ctIQwgLE=; b=F86qmNyVTiYO3Fbn+fS6PZ5N/zKVNAm6hLh6/xeSvghxhteNyRZ Iiz6P9h7TOXAbncLhcEeTAsv/uOF2xtU79nZLB76FRXYR0iJ2HElV3Z3VzNhdyQZ 3rSYRpV7N5wUdi6YNdrJFRTnBwKxJVKVB0V70dLDa+ifplzdTupghTVg= X-Virus-Scanned: amavisd-new at experts-exchange.com Received: from mail.experts-exchange.com ([127.0.0.1]) by mail.experts-exchange.com (mail.experts-exchange.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FNtVW6o3voYC; Sat, 1 Jan 2011 20:38:31 -0800 (PST) Received: from mail.experts-exchange.com (localhost [127.0.0.1]) by mail.experts-exchange.com (Postfix) with ESMTP id 67E30CA731B; Sat, 1 Jan 2011 20:38:31 -0800 (PST) Received: from 24.205.246.163 (SquirrelMail authenticated user jay) by mail.experts-exchange.com with HTTP; Sat, 1 Jan 2011 20:38:31 -0800 Message-ID: <8fb3caa1300a9fcc5c2f23a70ade23a8.squirrel@mail.experts-exchange.com> Date: Sat, 1 Jan 2011 20:38:31 -0800 From: jay@experts-exchange.com To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.20 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: transparent proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Jan 2011 04:55:33 -0000 Folks, I am trying to use stunnel & pf to devise a transparent proxy, but am unable to figure out how to do it. What I have is ext ip -> stunnel -> http service, but the http service does not know where to route back the packets, and remains in a sync state. 00:40:28.313038 IP 192.168.103.2.51791 > 127.0.0.1.80: Flags [S], seq 2806128000, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val 2027735 ecr 0], length 0 00:40:31.306553 IP 192.168.103.2.51791 > 127.0.0.1.80: Flags [S], seq 2806128000, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val 2028035 ecr 0], length 0 00:40:34.506518 IP 192.168.103.2.51791 > 127.0.0.1.80: Flags [S], seq 2806128000, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val 2028355 ecr 0], length 0 00:40:37.706528 IP 192.168.103.2.51791 > 127.0.0.1.80: Flags [S], seq 2806128000, win 65535, options [mss 16344,sackOK,eol], length 0 rpminit# netstat -ln Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 192.168.103.2.51218 127.0.0.1.80 SYN_SENT tcp4 0 0 192.168.103.62.443 192.168.103.2.51218 ESTABLISHED If I disable the transparent config setting the communication is works, but http access logs show the request coming from local host. 00:26:53.435415 IP 127.0.0.1.30655 > 127.0.0.1.80: Flags [P.], ack 1, win 8960, options [nop,nop,TS val 1946248 ecr 3625203070], length 6 00:26:53.435864 IP 127.0.0.1.80 > 127.0.0.1.30655: Flags [P.], ack 7, win 8960, options [nop,nop,TS val 3625203735 ecr 1946248], length 44 00:26:53.436426 IP 127.0.0.1.80 > 127.0.0.1.30655: Flags [F.], seq 45, ack 7, win 8960, options [nop,nop,TS val 3625203735 ecr 1946248], length 0 00:26:53.436463 IP 127.0.0.1.30655 > 127.0.0.1.80: Flags [.], ack 46, win 8960, options [nop,nop,TS val 1946248 ecr 3625203735], length 0 00:26:53.526062 IP 127.0.0.1.30655 > 127.0.0.1.80: Flags [F.], seq 7, ack 46, win 8960, options [nop,nop,TS val 1946257 ecr 3625203735], length 0 00:26:53.526112 IP 127.0.0.1.80 > 127.0.0.1.30655: Flags [.], ack 8, win 8959, options [nop,nop,TS val 3625203744 ecr 1946257], length 0 00:28:03.523841 IP 127.0.0.1.47994 > 127.0.0.1.80: Flags [S], seq 1128551040, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val 1953257 ecr 0], length 0 00:28:03.523924 IP 127.0.0.1.80 > 127.0.0.1.47994: Flags [S.], seq 4120370047, ack 1128551041, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val 727165180 ecr 1953257], length 0 00:28:03.523942 IP 127.0.0.1.47994 > 127.0.0.1.80: Flags [.], ack 1, win 8960, options [nop,nop,TS val 1953257 ecr 727165180], length 0 00:28:05.254567 IP 127.0.0.1.47994 > 127.0.0.1.80: Flags [P.], ack 1, win 8960, options [nop,nop,TS val 1953430 ecr 727165180], length 6 00:28:05.254888 IP 127.0.0.1.80 > 127.0.0.1.47994: Flags [P.], ack 7, win 8960, options [nop,nop,TS val 727165353 ecr 1953430], length 44 00:28:05.255194 IP 127.0.0.1.80 > 127.0.0.1.47994: Flags [F.], seq 45, ack 7, win 8960, options [nop,nop,TS val 727165353 ecr 1953430], length 0 00:28:05.255234 IP 127.0.0.1.47994 > 127.0.0.1.80: Flags [.], ack 46, win 8960, options [nop,nop,TS val 1953430 ecr 727165353], length 0 00:28:05.408742 IP 127.0.0.1.47994 > 127.0.0.1.80: Flags [F.], seq 7, ack 46, win 8960, options [nop,nop,TS val 1953445 ecr 727165353], length 0 00:28:05.408799 IP 127.0.0.1.80 > 127.0.0.1.47994: Flags [.], ack 8, win 8959, options [nop,nop,TS val 727165368 ecr 1953445], length 0 00:28:59.372253 IP 192.168.103.2.60900 > 127.0.0.1.80: Flags [S], seq 2362825029, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val 1958842 ecr 0], length 0 00:29:02.371384 IP 192.168.103.2.60900 > 127.0.0.1.80: Flags [S], seq 2362825029, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val 1959142 ecr 0], length 0 ==> /var/log/httpd-access.log <== 127.0.0.1 - - [01/Jan/2011:23:18:44 -0800] "GET /" 200 44 "-" "-" 127.0.0.1 - - [01/Jan/2011:23:18:53 -0800] "GET /" 200 44 "-" "-" 127.0.0.1 - - [01/Jan/2011:23:21:48 -0800] "GET /" 200 44 "-" "-" I've tried to set up a rdr rule to redirect requests from internal ip to external port 80 to internal port 80, but no luck. /etc/pf.conf int_if="lo0" ext_if="ed0" rdr on $int_if inet proto tcp from $int_if to any port 80 -> 127.0.0.1 port 80 Under Linux, it is possible to set up rules to perform internal proxy diverting thereby, "Re-write address to appear as if wrapped daemon is connecting from the SSL client machine instead of the machine running stunnel." See also http://www.stunnel.org/faq/stunnel.html and http://www.stunnel.org/faq/transparent.html. iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 Is there a way to devise pf rdr rules to do the same? Thanks From owner-freebsd-pf@FreeBSD.ORG Sun Jan 2 14:25:45 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 876C6106566B for ; Sun, 2 Jan 2011 14:25:45 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 25C748FC0C for ; Sun, 2 Jan 2011 14:25:43 +0000 (UTC) Received: by wyf19 with SMTP id 19so12631831wyf.13 for ; Sun, 02 Jan 2011 06:25:42 -0800 (PST) Received: by 10.227.199.10 with SMTP id eq10mr11379143wbb.197.1293978341301; Sun, 02 Jan 2011 06:25:41 -0800 (PST) Received: from dfleuriot.local (did75-17-88-165-130-96.fbx.proxad.net [88.165.130.96]) by mx.google.com with ESMTPS id m13sm13349114wbz.15.2011.01.02.06.25.40 (version=SSLv3 cipher=RC4-MD5); Sun, 02 Jan 2011 06:25:40 -0800 (PST) Message-ID: <4D208AE2.6000402@my.gd> Date: Sun, 02 Jan 2011 15:25:38 +0100 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <8fb3caa1300a9fcc5c2f23a70ade23a8.squirrel@mail.experts-exchange.com> In-Reply-To: <8fb3caa1300a9fcc5c2f23a70ade23a8.squirrel@mail.experts-exchange.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: transparent proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Jan 2011 14:25:45 -0000 Hi Jay, I'm not sure what you're trying to achieve here. Are you actually using proxy software at all, or only a PF redirect rule ? Are you trying to set up a FORWARD or a REVERSE proxy ? What do you use stunnel for, SSL/TLS connectivity ? On 1/2/11 5:38 AM, jay@experts-exchange.com wrote: > Folks, > > I am trying to use stunnel & pf to devise a transparent proxy, but am > unable to figure out how to do it. What I have is ext ip -> stunnel -> > http service, but the http service does not know where to route back the > packets, and remains in a sync state. > > > 00:40:28.313038 IP 192.168.103.2.51791 > 127.0.0.1.80: Flags [S], seq > 2806128000, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val > 2027735 ecr 0], length 0 > 00:40:31.306553 IP 192.168.103.2.51791 > 127.0.0.1.80: Flags [S], seq > 2806128000, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val > 2028035 ecr 0], length 0 > 00:40:34.506518 IP 192.168.103.2.51791 > 127.0.0.1.80: Flags [S], seq > 2806128000, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val > 2028355 ecr 0], length 0 > 00:40:37.706528 IP 192.168.103.2.51791 > 127.0.0.1.80: Flags [S], seq > 2806128000, win 65535, options [mss 16344,sackOK,eol], length 0 > > rpminit# netstat -ln > Active Internet connections > Proto Recv-Q Send-Q Local Address Foreign Address (state) > tcp4 0 0 192.168.103.2.51218 127.0.0.1.80 SYN_SENT > tcp4 0 0 192.168.103.62.443 192.168.103.2.51218 ESTABLISHED > > > If I disable the transparent config setting the communication is works, > but http access logs show the request coming from local host. > > 00:26:53.435415 IP 127.0.0.1.30655 > 127.0.0.1.80: Flags [P.], ack 1, win > 8960, options [nop,nop,TS val 1946248 ecr 3625203070], length 6 > 00:26:53.435864 IP 127.0.0.1.80 > 127.0.0.1.30655: Flags [P.], ack 7, win > 8960, options [nop,nop,TS val 3625203735 ecr 1946248], length 44 > 00:26:53.436426 IP 127.0.0.1.80 > 127.0.0.1.30655: Flags [F.], seq 45, ack > 7, win 8960, options [nop,nop,TS val 3625203735 ecr 1946248], length 0 > 00:26:53.436463 IP 127.0.0.1.30655 > 127.0.0.1.80: Flags [.], ack 46, win > 8960, options [nop,nop,TS val 1946248 ecr 3625203735], length 0 > 00:26:53.526062 IP 127.0.0.1.30655 > 127.0.0.1.80: Flags [F.], seq 7, ack > 46, win 8960, options [nop,nop,TS val 1946257 ecr 3625203735], length 0 > 00:26:53.526112 IP 127.0.0.1.80 > 127.0.0.1.30655: Flags [.], ack 8, win > 8959, options [nop,nop,TS val 3625203744 ecr 1946257], length 0 > 00:28:03.523841 IP 127.0.0.1.47994 > 127.0.0.1.80: Flags [S], seq > 1128551040, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val > 1953257 ecr 0], length 0 > 00:28:03.523924 IP 127.0.0.1.80 > 127.0.0.1.47994: Flags [S.], seq > 4120370047, ack 1128551041, win 65535, options [mss 16344,nop,wscale > 3,sackOK,TS val 727165180 ecr 1953257], length 0 > 00:28:03.523942 IP 127.0.0.1.47994 > 127.0.0.1.80: Flags [.], ack 1, win > 8960, options [nop,nop,TS val 1953257 ecr 727165180], length 0 > 00:28:05.254567 IP 127.0.0.1.47994 > 127.0.0.1.80: Flags [P.], ack 1, win > 8960, options [nop,nop,TS val 1953430 ecr 727165180], length 6 > 00:28:05.254888 IP 127.0.0.1.80 > 127.0.0.1.47994: Flags [P.], ack 7, win > 8960, options [nop,nop,TS val 727165353 ecr 1953430], length 44 > 00:28:05.255194 IP 127.0.0.1.80 > 127.0.0.1.47994: Flags [F.], seq 45, ack > 7, win 8960, options [nop,nop,TS val 727165353 ecr 1953430], length 0 > 00:28:05.255234 IP 127.0.0.1.47994 > 127.0.0.1.80: Flags [.], ack 46, win > 8960, options [nop,nop,TS val 1953430 ecr 727165353], length 0 > 00:28:05.408742 IP 127.0.0.1.47994 > 127.0.0.1.80: Flags [F.], seq 7, ack > 46, win 8960, options [nop,nop,TS val 1953445 ecr 727165353], length 0 > 00:28:05.408799 IP 127.0.0.1.80 > 127.0.0.1.47994: Flags [.], ack 8, win > 8959, options [nop,nop,TS val 727165368 ecr 1953445], length 0 > 00:28:59.372253 IP 192.168.103.2.60900 > 127.0.0.1.80: Flags [S], seq > 2362825029, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val > 1958842 ecr 0], length 0 > 00:29:02.371384 IP 192.168.103.2.60900 > 127.0.0.1.80: Flags [S], seq > 2362825029, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val > 1959142 ecr 0], length 0 > > > ==> /var/log/httpd-access.log <== > 127.0.0.1 - - [01/Jan/2011:23:18:44 -0800] "GET /" 200 44 "-" "-" > 127.0.0.1 - - [01/Jan/2011:23:18:53 -0800] "GET /" 200 44 "-" "-" > 127.0.0.1 - - [01/Jan/2011:23:21:48 -0800] "GET /" 200 44 "-" "-" > > I've tried to set up a rdr rule to redirect requests from internal ip to > external port 80 to internal port 80, but no luck. > > /etc/pf.conf > > int_if="lo0" > ext_if="ed0" > > rdr on $int_if inet proto tcp from $int_if to any port 80 -> 127.0.0.1 > port 80 > > Under Linux, it is possible to set up rules to perform internal proxy > diverting thereby, "Re-write address to appear as if wrapped daemon is > connecting from the SSL client machine instead of the machine running > stunnel." See also http://www.stunnel.org/faq/stunnel.html and > http://www.stunnel.org/faq/transparent.html. > > iptables -t mangle -N DIVERT > iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT > iptables -t mangle -A DIVERT -j MARK --set-mark 1 > iptables -t mangle -A DIVERT -j ACCEPT > ip rule add fwmark 1 lookup 100 > ip route add local 0.0.0.0/0 dev lo table 100 > > Is there a way to devise pf rdr rules to do the same? > > Thanks > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Sun Jan 2 17:37:34 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E2A3A1065672 for ; Sun, 2 Jan 2011 17:37:34 +0000 (UTC) (envelope-from jay@experts-exchange.com) Received: from mail.experts-exchange.com (mail.experts-exchange.com [72.29.183.251]) by mx1.freebsd.org (Postfix) with ESMTP id BE7868FC08 for ; Sun, 2 Jan 2011 17:37:34 +0000 (UTC) Received: from mail.experts-exchange.com (localhost [127.0.0.1]) by mail.experts-exchange.com (Postfix) with ESMTP id 70A93CA748A; Sun, 2 Jan 2011 09:37:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d= experts-exchange.com; h=content-transfer-encoding:content-type :content-type:mime-version:user-agent:from:from:subject:subject :date:date:references:in-reply-to:message-id:received:received :received; s=ee; t=1293989854; x=1295804254; bh=sKK0gxd1YaS60aZG TSIsfK8p0MVCsSCTKJakg2Udyjc=; b=mx36oFUWJjh9r1sCHcOr1lf8PsstCrEw m0+qelTEDbjOoGgkY2S15j2E/1Cn04Wl2EUtQmmGqgvNp3bYEdtNOhHbwkHKePx+ 7PlmDs1i0rY0gGZ+lU6o+l4jlsFZjbSt+oyqsDDV+TT3E1154FaTXz53WaAxW8kV j5twL80Celo= X-Virus-Scanned: amavisd-new at experts-exchange.com Received: from mail.experts-exchange.com ([127.0.0.1]) by mail.experts-exchange.com (mail.experts-exchange.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M3w6AxcmnF6U; Sun, 2 Jan 2011 09:37:34 -0800 (PST) Received: from mail.experts-exchange.com (localhost [127.0.0.1]) by mail.experts-exchange.com (Postfix) with ESMTP id 2CE3ECA7486; Sun, 2 Jan 2011 09:37:34 -0800 (PST) Received: from 24.205.246.163 (SquirrelMail authenticated user jay) by mail.experts-exchange.com with HTTP; Sun, 2 Jan 2011 09:37:34 -0800 Message-ID: <3020c1e8b0ecb5e9bacb1033ddea2b3e.squirrel@mail.experts-exchange.com> In-Reply-To: <4D208AE2.6000402@my.gd> References: <8fb3caa1300a9fcc5c2f23a70ade23a8.squirrel@mail.experts-exchange.com> <4D208AE2.6000402@my.gd> Date: Sun, 2 Jan 2011 09:37:34 -0800 From: jay@experts-exchange.com To: "Damien Fleuriot" User-Agent: SquirrelMail/1.4.20 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-pf@freebsd.org Subject: Re: transparent proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Jan 2011 17:37:35 -0000 Hi Damien, Here I am using HTTP traffic as an illustration, but for other generic services without the built in SSL layer, it would be highly advantageous to be able to add stunnel to do the job. The target application (e.g. VNC, database client/server connection, and so on) need not be re-coded. Running stunnel as an intermediate layer has the side effect of connecting to the internal services from a local IP address. In this configuration, it becomes a proxy service that takes the incoming network communication, filters out the SSL traffic and passes along the service payload as well as back again. Stunnel is being used for SSL/TLS connectivity. The "transparent" setting, available on Linux platforms, would bind() to a foreign address prior calling connect(), issue an IP_TPROXY_ASSIGN setsockopt to register the local address as a proxy, and use iptables and ip routing rules to keep track of the forward and reverse routing. To the service on the other side, it appears the client network traffic originates from a foreign IP address. We patched stunnel for v.8.1 of FreeBSD to use setsockopt IP_BINDANY, and thus preserve the foreign address, but for the service on the other side, it tries to establish the connection and fails because the routing is not set up to return the traffic to stunnel. Without transparent mode, network communication is : ext ip -> stunnel -> int ip -> http service For int ip -> http svc, real tcpdump traffic is : 00:26:53.435415 IP 127.0.0.1.30655 > 127.0.0.1.80: Flags [P.], ack 1, ... On the other side, e.g. the return path: http -> int ip -> stunnel -> ext ip At the http svc, packets are sent as : 00:26:53.435864 IP 127.0.0.1.80 > 127.0.0.1.30655: Flags [P.], ack 7, ... This works perfectly, but according the apache logs, the request looks like they are all originate from the internal '127.0.0.1' address. Now with transparent mode, it is : ext ip -> stunnel -> ext ip -> http 00:40:28.313038 IP 192.168.103.2.51791 > 127.0.0.1.80: Flags [S], ack ... But the return path is bad, and the network connection is stuck in a SYNC state. http X-> ext ip How can I create PF rules to create a reverse rule then to say if (hypothetically) : http -> ext ip (proxy/rdr) -> stunnel -> ext ip nn:nn:nn.nnnnnn IP 127.0.0.1.51791 > 192.168.103.2.80: Flags [S], ack ... In this case it would look like a REVERSE proxy of "internal 127.x.x.x, port any (except port 80) to the 'external' 192.x.x.x port 80" to "internal 127.x.x.x, port any to 127.x.x.x port 80". This is what I tried unsuccessfully to create with the rdr rule. rdr on $int_if inet proto tcp from $int_if to any port 80 -> 127.0.0.1 port 80 Really I am trying to reproduce the Linux version of the kernel level DIVERT proxy filters, so my version is not capturing that function. From my lack of understanding of PF, I don't know that it can work this way. Thanks > I'm not sure what you're trying to achieve here. > > Are you actually using proxy software at all, or only a PF redirect rule ? > > Are you trying to set up a FORWARD or a REVERSE proxy ? > > What do you use stunnel for, SSL/TLS connectivity ? > > > On 1/2/11 5:38 AM, jay@experts-exchange.com wrote: >> Folks, >> >> I am trying to use stunnel & pf to devise a transparent proxy, but am >> unable to figure out how to do it. What I have is ext ip -> stunnel -> >> http service, but the http service does not know where to route back the >> packets, and remains in a sync state. >> >> >> 00:40:28.313038 IP 192.168.103.2.51791 > 127.0.0.1.80: Flags [S], seq >> 2806128000, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val >> 2027735 ecr 0], length 0 >> 00:40:31.306553 IP 192.168.103.2.51791 > 127.0.0.1.80: Flags [S], seq >> 2806128000, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val >> 2028035 ecr 0], length 0 >> 00:40:34.506518 IP 192.168.103.2.51791 > 127.0.0.1.80: Flags [S], seq >> 2806128000, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val >> 2028355 ecr 0], length 0 >> 00:40:37.706528 IP 192.168.103.2.51791 > 127.0.0.1.80: Flags [S], seq >> 2806128000, win 65535, options [mss 16344,sackOK,eol], length 0 >> >> rpminit# netstat -ln >> Active Internet connections >> Proto Recv-Q Send-Q Local Address Foreign Address >> (state) >> tcp4 0 0 192.168.103.2.51218 127.0.0.1.80 >> SYN_SENT >> tcp4 0 0 192.168.103.62.443 192.168.103.2.51218 >> ESTABLISHED >> >> >> If I disable the transparent config setting the communication is works, >> but http access logs show the request coming from local host. >> >> 00:26:53.435415 IP 127.0.0.1.30655 > 127.0.0.1.80: Flags [P.], ack 1, >> win >> 8960, options [nop,nop,TS val 1946248 ecr 3625203070], length 6 >> 00:26:53.435864 IP 127.0.0.1.80 > 127.0.0.1.30655: Flags [P.], ack 7, >> win >> 8960, options [nop,nop,TS val 3625203735 ecr 1946248], length 44 >> 00:26:53.436426 IP 127.0.0.1.80 > 127.0.0.1.30655: Flags [F.], seq 45, >> ack >> 7, win 8960, options [nop,nop,TS val 3625203735 ecr 1946248], length 0 >> 00:26:53.436463 IP 127.0.0.1.30655 > 127.0.0.1.80: Flags [.], ack 46, >> win >> 8960, options [nop,nop,TS val 1946248 ecr 3625203735], length 0 >> 00:26:53.526062 IP 127.0.0.1.30655 > 127.0.0.1.80: Flags [F.], seq 7, >> ack >> 46, win 8960, options [nop,nop,TS val 1946257 ecr 3625203735], length 0 >> 00:26:53.526112 IP 127.0.0.1.80 > 127.0.0.1.30655: Flags [.], ack 8, win >> 8959, options [nop,nop,TS val 3625203744 ecr 1946257], length 0 >> 00:28:03.523841 IP 127.0.0.1.47994 > 127.0.0.1.80: Flags [S], seq >> 1128551040, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val >> 1953257 ecr 0], length 0 >> 00:28:03.523924 IP 127.0.0.1.80 > 127.0.0.1.47994: Flags [S.], seq >> 4120370047, ack 1128551041, win 65535, options [mss 16344,nop,wscale >> 3,sackOK,TS val 727165180 ecr 1953257], length 0 >> 00:28:03.523942 IP 127.0.0.1.47994 > 127.0.0.1.80: Flags [.], ack 1, win >> 8960, options [nop,nop,TS val 1953257 ecr 727165180], length 0 >> 00:28:05.254567 IP 127.0.0.1.47994 > 127.0.0.1.80: Flags [P.], ack 1, >> win >> 8960, options [nop,nop,TS val 1953430 ecr 727165180], length 6 >> 00:28:05.254888 IP 127.0.0.1.80 > 127.0.0.1.47994: Flags [P.], ack 7, >> win >> 8960, options [nop,nop,TS val 727165353 ecr 1953430], length 44 >> 00:28:05.255194 IP 127.0.0.1.80 > 127.0.0.1.47994: Flags [F.], seq 45, >> ack >> 7, win 8960, options [nop,nop,TS val 727165353 ecr 1953430], length 0 >> 00:28:05.255234 IP 127.0.0.1.47994 > 127.0.0.1.80: Flags [.], ack 46, >> win >> 8960, options [nop,nop,TS val 1953430 ecr 727165353], length 0 >> 00:28:05.408742 IP 127.0.0.1.47994 > 127.0.0.1.80: Flags [F.], seq 7, >> ack >> 46, win 8960, options [nop,nop,TS val 1953445 ecr 727165353], length 0 >> 00:28:05.408799 IP 127.0.0.1.80 > 127.0.0.1.47994: Flags [.], ack 8, win >> 8959, options [nop,nop,TS val 727165368 ecr 1953445], length 0 >> 00:28:59.372253 IP 192.168.103.2.60900 > 127.0.0.1.80: Flags [S], seq >> 2362825029, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val >> 1958842 ecr 0], length 0 >> 00:29:02.371384 IP 192.168.103.2.60900 > 127.0.0.1.80: Flags [S], seq >> 2362825029, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val >> 1959142 ecr 0], length 0 >> >> >> ==> /var/log/httpd-access.log <== >> 127.0.0.1 - - [01/Jan/2011:23:18:44 -0800] "GET /" 200 44 "-" "-" >> 127.0.0.1 - - [01/Jan/2011:23:18:53 -0800] "GET /" 200 44 "-" "-" >> 127.0.0.1 - - [01/Jan/2011:23:21:48 -0800] "GET /" 200 44 "-" "-" >> >> I've tried to set up a rdr rule to redirect requests from internal ip to >> external port 80 to internal port 80, but no luck. >> >> /etc/pf.conf >> >> int_if="lo0" >> ext_if="ed0" >> >> rdr on $int_if inet proto tcp from $int_if to any port 80 -> 127.0.0.1 >> port 80 >> >> Under Linux, it is possible to set up rules to perform internal proxy >> diverting thereby, "Re-write address to appear as if wrapped daemon is >> connecting from the SSL client machine instead of the machine running >> stunnel." See also http://www.stunnel.org/faq/stunnel.html and >> http://www.stunnel.org/faq/transparent.html. >> >> iptables -t mangle -N DIVERT >> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT >> iptables -t mangle -A DIVERT -j MARK --set-mark 1 >> iptables -t mangle -A DIVERT -j ACCEPT >> ip rule add fwmark 1 lookup 100 >> ip route add local 0.0.0.0/0 dev lo table 100 >> >> Is there a way to devise pf rdr rules to do the same? >> >> Thanks From owner-freebsd-pf@FreeBSD.ORG Sun Jan 2 17:50:43 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F06D61065673 for ; Sun, 2 Jan 2011 17:50:43 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 7C6CD8FC08 for ; Sun, 2 Jan 2011 17:50:43 +0000 (UTC) Received: by wyf19 with SMTP id 19so12715953wyf.13 for ; Sun, 02 Jan 2011 09:50:42 -0800 (PST) Received: by 10.227.20.78 with SMTP id e14mr11347368wbb.175.1293990640545; Sun, 02 Jan 2011 09:50:40 -0800 (PST) Received: from dfleuriot.local (did75-17-88-165-130-96.fbx.proxad.net [88.165.130.96]) by mx.google.com with ESMTPS id q18sm13471145wbe.5.2011.01.02.09.50.37 (version=SSLv3 cipher=RC4-MD5); Sun, 02 Jan 2011 09:50:39 -0800 (PST) Message-ID: <4D20BAEB.10101@my.gd> Date: Sun, 02 Jan 2011 18:50:35 +0100 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: jay@experts-exchange.com References: <8fb3caa1300a9fcc5c2f23a70ade23a8.squirrel@mail.experts-exchange.com> <4D208AE2.6000402@my.gd> <3020c1e8b0ecb5e9bacb1033ddea2b3e.squirrel@mail.experts-exchange.com> In-Reply-To: <3020c1e8b0ecb5e9bacb1033ddea2b3e.squirrel@mail.experts-exchange.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: transparent proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Jan 2011 17:50:44 -0000 In other software such as HTTP that you took for example, there's this special X-Forwarded-For header which covers this very need. IMO you shouldn't have to tweak around with the firewall or the IP stack to make up for a missing capability but nvm. Perhaps these 2 PF rules would be of use to you: route-to The route-to option routes the packet to the specified interface with an optional address for the next hop. When a route-to rule creates state, only packets that pass in the same direction as the filter rule specifies will be routed in this way. Packets passing in the opposite direction (replies) are not affected and are routed normally. reply-to The reply-to option is similar to route-to, but routes packets that pass in the opposite direction (replies) to the specified inter- face. Opposite direction is only defined in the context of a state entry, and reply-to is useful only in rules that create state. It can be used on systems with multiple external connections to route all outgoing packets of a connection through the interface the incoming connection arrived through (symmetric routing enforce- ment). On 1/2/11 6:37 PM, jay@experts-exchange.com wrote: > Hi Damien, > > Here I am using HTTP traffic as an illustration, but for other generic > services without the built in SSL layer, it would be highly advantageous > to be able to add stunnel to do the job. The target application (e.g. VNC, > database client/server connection, and so on) need not be re-coded. > Running stunnel as an intermediate layer has the side effect of connecting > to the internal services from a local IP address. In this configuration, > it becomes a proxy service that takes the incoming network communication, > filters out the SSL traffic and passes along the service payload as well > as back again. Stunnel is being used for SSL/TLS connectivity. The > "transparent" setting, available on Linux platforms, would bind() to a > foreign address prior calling connect(), issue an IP_TPROXY_ASSIGN > setsockopt to register the local address as a proxy, and use iptables and > ip routing rules to keep track of the forward and reverse routing. To the > service on the other side, it appears the client network traffic > originates from a foreign IP address. We patched stunnel for v.8.1 of > FreeBSD to use setsockopt IP_BINDANY, and thus preserve the foreign > address, but for the service on the other side, it tries to establish the > connection and fails because the routing is not set up to return the > traffic to stunnel. Without transparent mode, network communication is : > > ext ip -> stunnel -> int ip -> http service > > For int ip -> http svc, real tcpdump traffic is : > > 00:26:53.435415 IP 127.0.0.1.30655 > 127.0.0.1.80: Flags [P.], ack 1, ... > > On the other side, e.g. the return path: > > http -> int ip -> stunnel -> ext ip > > At the http svc, packets are sent as : > > 00:26:53.435864 IP 127.0.0.1.80 > 127.0.0.1.30655: Flags [P.], ack 7, ... > > This works perfectly, but according the apache logs, the request looks > like they are all originate from the internal '127.0.0.1' address. Now > with transparent mode, it is : > > ext ip -> stunnel -> ext ip -> http > > 00:40:28.313038 IP 192.168.103.2.51791 > 127.0.0.1.80: Flags [S], ack ... > > But the return path is bad, and the network connection is stuck in a SYNC > state. > > http X-> ext ip > > How can I create PF rules to create a reverse rule then to say if > (hypothetically) : > > http -> ext ip (proxy/rdr) -> stunnel -> ext ip > > nn:nn:nn.nnnnnn IP 127.0.0.1.51791 > 192.168.103.2.80: Flags [S], ack ... > > In this case it would look like a REVERSE proxy of "internal 127.x.x.x, > port any (except port 80) to the 'external' 192.x.x.x port 80" to > "internal 127.x.x.x, port any to 127.x.x.x port 80". This is what I tried > unsuccessfully to create with the rdr rule. > > rdr on $int_if inet proto tcp from $int_if to any port 80 -> 127.0.0.1 > port 80 > > Really I am trying to reproduce the Linux version of the kernel level > DIVERT proxy filters, so my version is not capturing that function. From > my lack of understanding of PF, I don't know that it can work this way. > > Thanks > >> I'm not sure what you're trying to achieve here. >> >> Are you actually using proxy software at all, or only a PF redirect rule ? >> >> Are you trying to set up a FORWARD or a REVERSE proxy ? >> >> What do you use stunnel for, SSL/TLS connectivity ? >> >> >> On 1/2/11 5:38 AM, jay@experts-exchange.com wrote: >>> Folks, >>> >>> I am trying to use stunnel & pf to devise a transparent proxy, but am >>> unable to figure out how to do it. What I have is ext ip -> stunnel -> >>> http service, but the http service does not know where to route back the >>> packets, and remains in a sync state. >>> >>> >>> 00:40:28.313038 IP 192.168.103.2.51791 > 127.0.0.1.80: Flags [S], seq >>> 2806128000, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val >>> 2027735 ecr 0], length 0 >>> 00:40:31.306553 IP 192.168.103.2.51791 > 127.0.0.1.80: Flags [S], seq >>> 2806128000, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val >>> 2028035 ecr 0], length 0 >>> 00:40:34.506518 IP 192.168.103.2.51791 > 127.0.0.1.80: Flags [S], seq >>> 2806128000, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val >>> 2028355 ecr 0], length 0 >>> 00:40:37.706528 IP 192.168.103.2.51791 > 127.0.0.1.80: Flags [S], seq >>> 2806128000, win 65535, options [mss 16344,sackOK,eol], length 0 >>> >>> rpminit# netstat -ln >>> Active Internet connections >>> Proto Recv-Q Send-Q Local Address Foreign Address >>> (state) >>> tcp4 0 0 192.168.103.2.51218 127.0.0.1.80 >>> SYN_SENT >>> tcp4 0 0 192.168.103.62.443 192.168.103.2.51218 >>> ESTABLISHED >>> >>> >>> If I disable the transparent config setting the communication is works, >>> but http access logs show the request coming from local host. >>> >>> 00:26:53.435415 IP 127.0.0.1.30655 > 127.0.0.1.80: Flags [P.], ack 1, >>> win >>> 8960, options [nop,nop,TS val 1946248 ecr 3625203070], length 6 >>> 00:26:53.435864 IP 127.0.0.1.80 > 127.0.0.1.30655: Flags [P.], ack 7, >>> win >>> 8960, options [nop,nop,TS val 3625203735 ecr 1946248], length 44 >>> 00:26:53.436426 IP 127.0.0.1.80 > 127.0.0.1.30655: Flags [F.], seq 45, >>> ack >>> 7, win 8960, options [nop,nop,TS val 3625203735 ecr 1946248], length 0 >>> 00:26:53.436463 IP 127.0.0.1.30655 > 127.0.0.1.80: Flags [.], ack 46, >>> win >>> 8960, options [nop,nop,TS val 1946248 ecr 3625203735], length 0 >>> 00:26:53.526062 IP 127.0.0.1.30655 > 127.0.0.1.80: Flags [F.], seq 7, >>> ack >>> 46, win 8960, options [nop,nop,TS val 1946257 ecr 3625203735], length 0 >>> 00:26:53.526112 IP 127.0.0.1.80 > 127.0.0.1.30655: Flags [.], ack 8, win >>> 8959, options [nop,nop,TS val 3625203744 ecr 1946257], length 0 >>> 00:28:03.523841 IP 127.0.0.1.47994 > 127.0.0.1.80: Flags [S], seq >>> 1128551040, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val >>> 1953257 ecr 0], length 0 >>> 00:28:03.523924 IP 127.0.0.1.80 > 127.0.0.1.47994: Flags [S.], seq >>> 4120370047, ack 1128551041, win 65535, options [mss 16344,nop,wscale >>> 3,sackOK,TS val 727165180 ecr 1953257], length 0 >>> 00:28:03.523942 IP 127.0.0.1.47994 > 127.0.0.1.80: Flags [.], ack 1, win >>> 8960, options [nop,nop,TS val 1953257 ecr 727165180], length 0 >>> 00:28:05.254567 IP 127.0.0.1.47994 > 127.0.0.1.80: Flags [P.], ack 1, >>> win >>> 8960, options [nop,nop,TS val 1953430 ecr 727165180], length 6 >>> 00:28:05.254888 IP 127.0.0.1.80 > 127.0.0.1.47994: Flags [P.], ack 7, >>> win >>> 8960, options [nop,nop,TS val 727165353 ecr 1953430], length 44 >>> 00:28:05.255194 IP 127.0.0.1.80 > 127.0.0.1.47994: Flags [F.], seq 45, >>> ack >>> 7, win 8960, options [nop,nop,TS val 727165353 ecr 1953430], length 0 >>> 00:28:05.255234 IP 127.0.0.1.47994 > 127.0.0.1.80: Flags [.], ack 46, >>> win >>> 8960, options [nop,nop,TS val 1953430 ecr 727165353], length 0 >>> 00:28:05.408742 IP 127.0.0.1.47994 > 127.0.0.1.80: Flags [F.], seq 7, >>> ack >>> 46, win 8960, options [nop,nop,TS val 1953445 ecr 727165353], length 0 >>> 00:28:05.408799 IP 127.0.0.1.80 > 127.0.0.1.47994: Flags [.], ack 8, win >>> 8959, options [nop,nop,TS val 727165368 ecr 1953445], length 0 >>> 00:28:59.372253 IP 192.168.103.2.60900 > 127.0.0.1.80: Flags [S], seq >>> 2362825029, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val >>> 1958842 ecr 0], length 0 >>> 00:29:02.371384 IP 192.168.103.2.60900 > 127.0.0.1.80: Flags [S], seq >>> 2362825029, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val >>> 1959142 ecr 0], length 0 >>> >>> >>> ==> /var/log/httpd-access.log <== >>> 127.0.0.1 - - [01/Jan/2011:23:18:44 -0800] "GET /" 200 44 "-" "-" >>> 127.0.0.1 - - [01/Jan/2011:23:18:53 -0800] "GET /" 200 44 "-" "-" >>> 127.0.0.1 - - [01/Jan/2011:23:21:48 -0800] "GET /" 200 44 "-" "-" >>> >>> I've tried to set up a rdr rule to redirect requests from internal ip to >>> external port 80 to internal port 80, but no luck. >>> >>> /etc/pf.conf >>> >>> int_if="lo0" >>> ext_if="ed0" >>> >>> rdr on $int_if inet proto tcp from $int_if to any port 80 -> 127.0.0.1 >>> port 80 >>> >>> Under Linux, it is possible to set up rules to perform internal proxy >>> diverting thereby, "Re-write address to appear as if wrapped daemon is >>> connecting from the SSL client machine instead of the machine running >>> stunnel." See also http://www.stunnel.org/faq/stunnel.html and >>> http://www.stunnel.org/faq/transparent.html. >>> >>> iptables -t mangle -N DIVERT >>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT >>> iptables -t mangle -A DIVERT -j MARK --set-mark 1 >>> iptables -t mangle -A DIVERT -j ACCEPT >>> ip rule add fwmark 1 lookup 100 >>> ip route add local 0.0.0.0/0 dev lo table 100 >>> >>> Is there a way to devise pf rdr rules to do the same? >>> >>> Thanks > > From owner-freebsd-pf@FreeBSD.ORG Sun Jan 2 20:04:20 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 59B7A106566C for ; Sun, 2 Jan 2011 20:04:20 +0000 (UTC) (envelope-from jay@experts-exchange.com) Received: from mail.experts-exchange.com (mail.experts-exchange.com [72.29.183.251]) by mx1.freebsd.org (Postfix) with ESMTP id 366C68FC14 for ; Sun, 2 Jan 2011 20:04:19 +0000 (UTC) Received: from mail.experts-exchange.com (localhost [127.0.0.1]) by mail.experts-exchange.com (Postfix) with ESMTP id DC3A4CA7494; Sun, 2 Jan 2011 12:04:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d= experts-exchange.com; h=content-transfer-encoding:content-type :content-type:mime-version:user-agent:from:from:subject:subject :date:date:references:in-reply-to:message-id:received:received :received; s=ee; t=1293998659; x=1295813059; bh=ndpHZRqqkYkj8zHp TLHQF/3Htg8UQ85o7c80v7ZD2uI=; b=NoHkxIrfL6SWA//+HQrr8RVhFnkg7wc+ NfwLJ88yQGTWpU8k1msuYWXIL2AeoQnEwlRYsyLcbeSVKpdNDIAoc4U3F4zEQieN LkSC8WYai0T6W/LkQXdwbIa1B9GgrzUq//8vDXFUoI4gI+zhVWzQyPuPeIdkt6df NpDewdrpvsA= X-Virus-Scanned: amavisd-new at experts-exchange.com Received: from mail.experts-exchange.com ([127.0.0.1]) by mail.experts-exchange.com (mail.experts-exchange.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PC3KVz4O+5OI; Sun, 2 Jan 2011 12:04:19 -0800 (PST) Received: from mail.experts-exchange.com (localhost [127.0.0.1]) by mail.experts-exchange.com (Postfix) with ESMTP id 9DB2ECA747E; Sun, 2 Jan 2011 12:04:19 -0800 (PST) Received: from 24.205.246.163 (SquirrelMail authenticated user jay) by mail.experts-exchange.com with HTTP; Sun, 2 Jan 2011 12:04:19 -0800 Message-ID: <5275a39aa1849d38d509a42b627dd4b0.squirrel@mail.experts-exchange.com> In-Reply-To: <4D20BAEB.10101@my.gd> References: <8fb3caa1300a9fcc5c2f23a70ade23a8.squirrel@mail.experts-exchange.com> <4D208AE2.6000402@my.gd> <3020c1e8b0ecb5e9bacb1033ddea2b3e.squirrel@mail.experts-exchange.com> <4D20BAEB.10101@my.gd> Date: Sun, 2 Jan 2011 12:04:19 -0800 From: jay@experts-exchange.com To: "Damien Fleuriot" User-Agent: SquirrelMail/1.4.20 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-pf@freebsd.org Subject: Re: transparent proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Jan 2011 20:04:20 -0000 > In other software such as HTTP that you took for example, there's this > special X-Forwarded-For header which covers this very need. Squid can talk SSL, so insertion of XFF is possible. But for other applications, XFF is of no use. > IMO you shouldn't have to tweak around with the firewall or the IP stack > to make up for a missing capability but nvm. I don't think I need to make up for a missing capability, as man 4 ip says : If the IP_BINDANY option is enabled on a SOCK_STREAM, SOCK_DGRAM or a SOCK_RAW socket, one can bind(2) to any address, even one not bound to any available network interface in the system. This functionality (in conjunction with special firewall rules) can be used for implementing a transparent proxy. The PRIV_NETINET_BINDANY privilege is needed to set this option. http://www.freebsd.org/cgi/man.cgi?query=ip&apropos=0&sektion=0&manpath=FreeBSD+8.1-RELEASE&format=html Here I want : nn:nn:nn.nnnnnn IP 127.0.0.1.51791 > 192.168.103.2.80: Flags [S], ack ... int_if="lo0" ext_if="ed0" pass in on $int_if route-to ($int_if 127.0.0.1) from 192.168.103.1 keep state But no good (it's not able to sync) : 20:02:17.282414 IP 192.168.103.2.56991 > 127.0.0.1.80: Flags [S], seq 3005214022, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val 8998630 ecr 0], length 0 20:02:20.276987 IP 192.168.103.2.56991 > 127.0.0.1.80: Flags [S], seq 3005214022, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val 8998930 ecr 0], length 0 20:02:23.477037 IP 192.168.103.2.56991 > 127.0.0.1.80: Flags [S], seq 3005214022, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val 8999250 ecr 0], length 0 20:02:26.677036 IP 192.168.103.2.56991 > 127.0.0.1.80: Flags [S], seq 3005214022, win 65535, options [mss 16344,sackOK,eol], length 0 Visualizing the result of the rule is not too keen. Thanks From owner-freebsd-pf@FreeBSD.ORG Sun Jan 2 20:16:06 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F1239106564A for ; Sun, 2 Jan 2011 20:16:06 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 8BEF58FC08 for ; Sun, 2 Jan 2011 20:16:06 +0000 (UTC) Received: by wyf19 with SMTP id 19so12772832wyf.13 for ; Sun, 02 Jan 2011 12:16:05 -0800 (PST) Received: by 10.227.168.79 with SMTP id t15mr11080767wby.200.1293999365385; Sun, 02 Jan 2011 12:16:05 -0800 (PST) Received: from dfleuriot.local (did75-17-88-165-130-96.fbx.proxad.net [88.165.130.96]) by mx.google.com with ESMTPS id f35sm13556796wbf.8.2011.01.02.12.16.03 (version=SSLv3 cipher=RC4-MD5); Sun, 02 Jan 2011 12:16:04 -0800 (PST) Message-ID: <4D20DD02.2090605@my.gd> Date: Sun, 02 Jan 2011 21:16:02 +0100 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: jay@experts-exchange.com References: <8fb3caa1300a9fcc5c2f23a70ade23a8.squirrel@mail.experts-exchange.com> <4D208AE2.6000402@my.gd> <3020c1e8b0ecb5e9bacb1033ddea2b3e.squirrel@mail.experts-exchange.com> <4D20BAEB.10101@my.gd> <5275a39aa1849d38d509a42b627dd4b0.squirrel@mail.experts-exchange.com> In-Reply-To: <5275a39aa1849d38d509a42b627dd4b0.squirrel@mail.experts-exchange.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: transparent proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Jan 2011 20:16:07 -0000 On 1/2/11 9:04 PM, jay@experts-exchange.com wrote: > Here I want : > > nn:nn:nn.nnnnnn IP 127.0.0.1.51791 > 192.168.103.2.80: Flags [S], ack ... > > int_if="lo0" > ext_if="ed0" > > pass in on $int_if route-to ($int_if 127.0.0.1) from 192.168.103.1 keep state > > But no good (it's not able to sync) : > How do things go when using synproxy in your pass rule ? Something like: pass in log on $int_if route-to ($int_if 127.0.0.1) from 192.168.103.1 synproxy state From owner-freebsd-pf@FreeBSD.ORG Sun Jan 2 21:57:04 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8515D1065679 for ; Sun, 2 Jan 2011 21:57:04 +0000 (UTC) (envelope-from jay@experts-exchange.com) Received: from mail.experts-exchange.com (mail.experts-exchange.com [72.29.183.251]) by mx1.freebsd.org (Postfix) with ESMTP id 61EDF8FC0A for ; Sun, 2 Jan 2011 21:57:04 +0000 (UTC) Received: from mail.experts-exchange.com (localhost [127.0.0.1]) by mail.experts-exchange.com (Postfix) with ESMTP id DFBBCCA74F6; Sun, 2 Jan 2011 13:57:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d= experts-exchange.com; h=content-transfer-encoding:content-type :content-type:mime-version:user-agent:from:from:subject:subject :date:date:references:in-reply-to:message-id:received:received :received; s=ee; t=1294005423; x=1295819823; bh=tusx0b8yVZ8B45xO IfwovB80felXClB2B96fcs32QMk=; b=Z+FqsLgjDQ5F4Ln2XeQDFAzsD1J04HRF 6cJsP8ZGUr38etpO+1OBBju5itTWyg5p5leRVQ5epPThQkuRtMCH8YIyJAeymsvH C3U3I2Dc0DKTR8TLnDlS5PEU+G50SwU239pIQMR+lDBoxAd7g+516PMxauCUH9Pm CERD+SY5ikM= X-Virus-Scanned: amavisd-new at experts-exchange.com Received: from mail.experts-exchange.com ([127.0.0.1]) by mail.experts-exchange.com (mail.experts-exchange.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4z9sh15nUmkL; Sun, 2 Jan 2011 13:57:03 -0800 (PST) Received: from mail.experts-exchange.com (localhost [127.0.0.1]) by mail.experts-exchange.com (Postfix) with ESMTP id 9FEE5CA74D5; Sun, 2 Jan 2011 13:57:03 -0800 (PST) Received: from 24.205.246.163 (SquirrelMail authenticated user jay) by mail.experts-exchange.com with HTTP; Sun, 2 Jan 2011 13:57:03 -0800 Message-ID: <4aff223f1053b2cf89f32eb89a184643.squirrel@mail.experts-exchange.com> In-Reply-To: <4D20DD02.2090605@my.gd> References: <8fb3caa1300a9fcc5c2f23a70ade23a8.squirrel@mail.experts-exchange.com> <4D208AE2.6000402@my.gd> <3020c1e8b0ecb5e9bacb1033ddea2b3e.squirrel@mail.experts-exchange.com> <4D20BAEB.10101@my.gd> <5275a39aa1849d38d509a42b627dd4b0.squirrel@mail.experts-exchange.com> <4D20DD02.2090605@my.gd> Date: Sun, 2 Jan 2011 13:57:03 -0800 From: jay@experts-exchange.com To: "Damien Fleuriot" User-Agent: SquirrelMail/1.4.20 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-pf@freebsd.org Subject: Re: transparent proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Jan 2011 21:57:04 -0000 Is there a way to see what the rule is doing? It didn't have any effect. I've been trying different combinations, sometimes targeting 192.168.103.2. One test locked up the host. > On 1/2/11 9:04 PM, jay@experts-exchange.com wrote: >> Here I want : >> >> nn:nn:nn.nnnnnn IP 127.0.0.1.51791 > 192.168.103.2.80: Flags [S], ack >> ... >> >> int_if="lo0" >> ext_if="ed0" >> >> pass in on $int_if route-to ($int_if 127.0.0.1) from 192.168.103.1 keep >> state >> >> But no good (it's not able to sync) : >> > > How do things go when using synproxy in your pass rule ? > > Something like: pass in log on $int_if route-to ($int_if 127.0.0.1) from > 192.168.103.1 synproxy state > > From owner-freebsd-pf@FreeBSD.ORG Sun Jan 2 21:59:31 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9D2F9106566B for ; Sun, 2 Jan 2011 21:59:31 +0000 (UTC) (envelope-from jay@experts-exchange.com) Received: from mail.experts-exchange.com (mail.experts-exchange.com [72.29.183.251]) by mx1.freebsd.org (Postfix) with ESMTP id 79FE78FC0C for ; Sun, 2 Jan 2011 21:59:31 +0000 (UTC) Received: from mail.experts-exchange.com (localhost [127.0.0.1]) by mail.experts-exchange.com (Postfix) with ESMTP id 612AECA74D5; Sun, 2 Jan 2011 13:59:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d= experts-exchange.com; h=content-transfer-encoding:content-type :content-type:mime-version:user-agent:from:from:subject:subject :date:date:references:in-reply-to:message-id:received:received :received; s=ee; t=1294005571; x=1295819971; bh=Tx8Slg1iS/TQMsLT mf0WfphywTz+TFvrSw3csOzI0Z4=; b=EWPoTdp0XjO6CppjdTSCZKOAN8O9aE4t qDX1oEQsrdpLXBXoObj1z9LXqSQHQh+IhUVChjZ7fmUTZph48jR86lLBoRC79uN9 ywDG0az8kk9qVwQmwRRnAOuNgthw5UdbN2X5Lc4vnd8WLwIjlahxz/E3CUpADJax izYFVcZeyo8= X-Virus-Scanned: amavisd-new at experts-exchange.com Received: from mail.experts-exchange.com ([127.0.0.1]) by mail.experts-exchange.com (mail.experts-exchange.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id My0vY4UyZTnJ; Sun, 2 Jan 2011 13:59:31 -0800 (PST) Received: from mail.experts-exchange.com (localhost [127.0.0.1]) by mail.experts-exchange.com (Postfix) with ESMTP id 21457CA74FA; Sun, 2 Jan 2011 13:59:31 -0800 (PST) Received: from 24.205.246.163 (SquirrelMail authenticated user jay) by mail.experts-exchange.com with HTTP; Sun, 2 Jan 2011 13:59:31 -0800 Message-ID: <0d256a6f108ee1e15225ef3db09c1763.squirrel@mail.experts-exchange.com> In-Reply-To: <4D20DD02.2090605@my.gd> References: <8fb3caa1300a9fcc5c2f23a70ade23a8.squirrel@mail.experts-exchange.com> <4D208AE2.6000402@my.gd> <3020c1e8b0ecb5e9bacb1033ddea2b3e.squirrel@mail.experts-exchange.com> <4D20BAEB.10101@my.gd> <5275a39aa1849d38d509a42b627dd4b0.squirrel@mail.experts-exchange.com> <4D20DD02.2090605@my.gd> Date: Sun, 2 Jan 2011 13:59:31 -0800 From: jay@experts-exchange.com To: "Damien Fleuriot" User-Agent: SquirrelMail/1.4.20 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-pf@freebsd.org Subject: Re: transparent proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Jan 2011 21:59:31 -0000 >From studying squid rules, I found the following pf rule set. Does this do something similar to what I'm after? I tried something like this but it didn't help. int_if="gem0" ext_if="kue0" rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128 pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state pass out on $ext_if inet proto tcp from any to any port www keep state http://www.benzedrine.cx/transquid.html Thanks > On 1/2/11 9:04 PM, jay@experts-exchange.com wrote: >> Here I want : >> >> nn:nn:nn.nnnnnn IP 127.0.0.1.51791 > 192.168.103.2.80: Flags [S], ack >> ... >> >> int_if="lo0" >> ext_if="ed0" >> >> pass in on $int_if route-to ($int_if 127.0.0.1) from 192.168.103.1 keep >> state >> >> But no good (it's not able to sync) : >> > > How do things go when using synproxy in your pass rule ? > > Something like: pass in log on $int_if route-to ($int_if 127.0.0.1) from > 192.168.103.1 synproxy state > > From owner-freebsd-pf@FreeBSD.ORG Sun Jan 2 22:07:34 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 091AE1065743 for ; Sun, 2 Jan 2011 22:07:34 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 986F48FC0A for ; Sun, 2 Jan 2011 22:07:32 +0000 (UTC) Received: by wyf19 with SMTP id 19so12816039wyf.13 for ; Sun, 02 Jan 2011 14:07:32 -0800 (PST) Received: by 10.216.13.134 with SMTP id b6mr23310865web.25.1294006050431; Sun, 02 Jan 2011 14:07:30 -0800 (PST) Received: from dfleuriot.local (did75-17-88-165-130-96.fbx.proxad.net [88.165.130.96]) by mx.google.com with ESMTPS id m13sm13614626wbz.9.2011.01.02.14.07.29 (version=SSLv3 cipher=RC4-MD5); Sun, 02 Jan 2011 14:07:30 -0800 (PST) Message-ID: <4D20F721.6070203@my.gd> Date: Sun, 02 Jan 2011 23:07:29 +0100 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: jay@experts-exchange.com References: <8fb3caa1300a9fcc5c2f23a70ade23a8.squirrel@mail.experts-exchange.com> <4D208AE2.6000402@my.gd> <3020c1e8b0ecb5e9bacb1033ddea2b3e.squirrel@mail.experts-exchange.com> <4D20BAEB.10101@my.gd> <5275a39aa1849d38d509a42b627dd4b0.squirrel@mail.experts-exchange.com> <4D20DD02.2090605@my.gd> <0d256a6f108ee1e15225ef3db09c1763.squirrel@mail.experts-exchange.com> In-Reply-To: <0d256a6f108ee1e15225ef3db09c1763.squirrel@mail.experts-exchange.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: transparent proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Jan 2011 22:07:34 -0000 On 1/2/11 10:59 PM, jay@experts-exchange.com wrote: > From studying squid rules, I found the following pf rule set. Does this do > something similar to what I'm after? I tried something like this but it > didn't help. > > int_if="gem0" > ext_if="kue0" > > rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128 > > pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state > pass out on $ext_if inet proto tcp from any to any port www keep state > > http://www.benzedrine.cx/transquid.html > Allow me to explain the rules in detail. 1/ redirect all traffic that passes through us from anyone to anywhere on port 80 to the local machine on port 3128 2/ Actually allow everyone to contact the local machine on port 3128 (this has the same effect as if you had written "rdr pass" in the first rule) 3/ Allow outgoing traffic on our external interface to web servers (which comes in use if you don't have a "pass out" rule for everything) However regarding squid you need to compile it with the transparent proxy for PF option, so there's likely special code to be enabled in squid. I'm not sure your stunnel is gonna like it. > Thanks > >> On 1/2/11 9:04 PM, jay@experts-exchange.com wrote: >>> Here I want : >>> >>> nn:nn:nn.nnnnnn IP 127.0.0.1.51791 > 192.168.103.2.80: Flags [S], ack >>> ... >>> >>> int_if="lo0" >>> ext_if="ed0" >>> >>> pass in on $int_if route-to ($int_if 127.0.0.1) from 192.168.103.1 keep >>> state >>> >>> But no good (it's not able to sync) : >>> >> >> How do things go when using synproxy in your pass rule ? >> >> Something like: pass in log on $int_if route-to ($int_if 127.0.0.1) from >> 192.168.103.1 synproxy state >> >> > > From owner-freebsd-pf@FreeBSD.ORG Mon Jan 3 11:07:09 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 903371065693 for ; Mon, 3 Jan 2011 11:07:09 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 7ECFF8FC19 for ; Mon, 3 Jan 2011 11:07:09 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p03B79XK046571 for ; Mon, 3 Jan 2011 11:07:09 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p03B78gf046569 for freebsd-pf@FreeBSD.org; Mon, 3 Jan 2011 11:07:08 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 3 Jan 2011 11:07:08 GMT Message-Id: <201101031107.p03B78gf046569@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Jan 2011 11:07:09 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 46 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Jan 4 01:56:59 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6A641106564A for ; Tue, 4 Jan 2011 01:56:59 +0000 (UTC) (envelope-from jay@experts-exchange.com) Received: from mail.experts-exchange.com (mail.experts-exchange.com [72.29.183.251]) by mx1.freebsd.org (Postfix) with ESMTP id 46B178FC0A for ; Tue, 4 Jan 2011 01:56:59 +0000 (UTC) Received: from mail.experts-exchange.com (localhost [127.0.0.1]) by mail.experts-exchange.com (Postfix) with ESMTP id EC01CCA785C; Mon, 3 Jan 2011 17:56:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d= experts-exchange.com; h=content-transfer-encoding:content-type :content-type:mime-version:user-agent:from:from:subject:subject :date:date:references:in-reply-to:message-id:received:received :received; s=ee; t=1294106218; x=1295920618; bh=eoKB3JMAqUAxfSCi BpMSs1P5X+e2ylhdwdS6yTvnIFA=; b=OfhrYGQlZSX63Jollhne6e+2pE9NnK+x EkKjyZbHkuncuv5W5NzNYL/UZyr5JSPFo+yEmTSWj6hKDCRZ0Fzybg+PtpH0352y NFp0Zw+bkXW6Ad5nvT6KTzl4DXMmnH1fhJ8KEQkqvNrdqx+z8SzMsi1kIlcPcx6q fuFriwp4BUo= X-Virus-Scanned: amavisd-new at experts-exchange.com Received: from mail.experts-exchange.com ([127.0.0.1]) by mail.experts-exchange.com (mail.experts-exchange.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3qBKZO0NQYcJ; Mon, 3 Jan 2011 17:56:58 -0800 (PST) Received: from mail.experts-exchange.com (localhost [127.0.0.1]) by mail.experts-exchange.com (Postfix) with ESMTP id AB6C2CA785B; Mon, 3 Jan 2011 17:56:58 -0800 (PST) Received: from 192.168.103.176 (SquirrelMail authenticated user jay) by mail.experts-exchange.com with HTTP; Mon, 3 Jan 2011 17:56:58 -0800 Message-ID: In-Reply-To: <4D20DD02.2090605@my.gd> References: <8fb3caa1300a9fcc5c2f23a70ade23a8.squirrel@mail.experts-exchange.com> <4D208AE2.6000402@my.gd> <3020c1e8b0ecb5e9bacb1033ddea2b3e.squirrel@mail.experts-exchange.com> <4D20BAEB.10101@my.gd> <5275a39aa1849d38d509a42b627dd4b0.squirrel@mail.experts-exchange.com> <4D20DD02.2090605@my.gd> Date: Mon, 3 Jan 2011 17:56:58 -0800 From: jay@experts-exchange.com To: "Damien Fleuriot" User-Agent: SquirrelMail/1.4.20 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-pf@freebsd.org Subject: Re: transparent proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jan 2011 01:56:59 -0000 > Something like: pass in log on $int_if route-to ($int_if 127.0.0.1) from > 192.168.103.1 synproxy state Interesting, the client shows : CONNECTED(00000003) Pflog shows (this time 192.168.103.69 was used in place of 192.168.103.1): 1294126958.718778 rule 0/0(match): pass in on ed0: (tos 0x0, ttl 64, id 6708, offset 0, flags [DF], proto TCP (6), length 60) 192.168.103.69.51472 > 192.168.103.62.443: Flags [S], cksum 0xb80b (correct), seq 4218566242, win 5840, options [mss 1460,sackOK,TS val 5844054 ecr 0,nop,wscale 7], length 0 For tcpdump, there was no network communication. I guess it's close, but not yet working.