From owner-freebsd-current@FreeBSD.ORG  Thu Sep  9 22:27:50 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8668316A4CE
	for <freebsd-current@freebsd.org>;
	Thu,  9 Sep 2004 22:27:50 +0000 (GMT)
Received: from picard.newmillennium.net.au
	(dsl-114.250.240.220.dsl.comindico.com.au [220.240.250.114])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 53E1543D1D
	for <freebsd-current@freebsd.org>;
	Thu,  9 Sep 2004 22:27:47 +0000 (GMT)
	(envelope-from freebsd@newmillennium.net.au)
Received: from [172.16.0.67] (crusher.nmn.cafn [172.16.0.67])
	i89MRjjq000926	for <freebsd-current@freebsd.org>;
	Fri, 10 Sep 2004 08:27:45 +1000 (EST)
	(envelope-from freebsd@newmillennium.net.au)
From: "Alastair D'Silva" <freebsd@newmillennium.net.au>
To: freebsd-current@freebsd.org
Content-Type: text/plain
Organization: New Millennium Networking
Message-Id: <1094768862.1380.10.camel@crusher.laptop>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.6 
Date: Fri, 10 Sep 2004 08:27:42 +1000
Content-Transfer-Encoding: 7bit
Subject: Transparent proxying broken?
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Sep 2004 22:27:50 -0000

It seems that transparent proxying has been broken with all the changes
to the networking stack.

These are the relevant rules (where nmn_wireless and internet are
#defines)

add 3501 fwd 127.0.0.1,3128 tcp from nmn_wireless to internet 80 
keep-state
add 3502 fwd 127.0.0.1,25 tcp from nmn_wireless to internet 25    
keep-state

Uname output:
FreeBSD picard.newmillennium.net.au 6.0-CURRENT FreeBSD 6.0-CURRENT #20:
Thu Sep  9 20:48:35 EST 2004    
root@picard.newmillennium.net.au:/usr/obj/usr/src/sys/PICARD  i386


Trying to connect from the nmn_wireless network:

bash-2.05b$ telnet www.freebsd.org 80
Trying 216.136.204.117...
telnet: connect to address 216.136.204.117: Operation timed out
telnet: Unable to connect to remote host


Tcpdump output of the above session:

picard# tcpdump -i ath0 not port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on ath0, link-type EN10MB (Ethernet), capture size 96 bytes
08:22:28.451296 IP crusher.nmn.cafn.57238 >
gateway.fedpark.cafn.domain:  34209+  [1au] AAAA? ns1.downloadtech.com.
(49)
08:22:28.451438 IP crusher.nmn.cafn.57238 >
gateway.fedpark.cafn.domain:  9384+ [1au] AAAA? ns2.downloadtech.com.
(49)
08:22:28.451916 IP crusher.nmn.cafn.52164 > www.freebsd.org.http: S
4239655572:4 239655572(0) win 65535 <mss 1460,nop,nop,sackOK,nop,wscale
1,nop,nop,timestamp 5 271559 0>
08:22:28.652615 IP gateway.fedpark.cafn.domain >
crusher.nmn.cafn.57238:  34209 0/1/1 (96)
08:22:28.654474 IP gateway.fedpark.cafn.domain >
crusher.nmn.cafn.57238:  9384 0 /1/1 (96)
08:22:31.448320 IP crusher.nmn.cafn.52164 > www.freebsd.org.http: S
4239655572:4 239655572(0) win 65535 <mss 1460,nop,nop,sackOK,nop,wscale
1,nop,nop,timestamp 5 271859 0>
08:22:34.648455 IP crusher.nmn.cafn.52164 > www.freebsd.org.http: S
4239655572:4 239655572(0) win 65535 <mss 1460,nop,nop,sackOK,nop,wscale
1,nop,nop,timestamp 5 272179 0>
08:22:37.848571 IP crusher.nmn.cafn.52164 > www.freebsd.org.http: S
4239655572:4239655572(0) win 65535 <mss 146 0,nop,nop,sackOK>
08:22:41.048682 IP crusher.nmn.cafn.52164 > www.freebsd.org.http: S
4239655572:4239655572(0) win 65535 <mss 1460,nop,nop,sackOK>
08:22:44.248793 IP crusher.nmn.cafn.52164 > www.freebsd.org.http: S
4239655572:4239655572(0) win 65535 <mss 1460,nop,nop,sackOK>
08:22:50.449890 IP crusher.nmn.cafn.52164 > www.freebsd.org.http: S
4239655572:4239655572(0) win 65535 <mss 1460,nop,nop,sackOK>
08:22:59.826015 IP crusher.nmn.cafn.57065 > picard.imap: P
1133767632:1133767689(57) ack 2198428885 win 33304 <nop,nop,timestamp
5274694 2606343>
08:22:59.856870 IP picard.imap > crusher.nmn.cafn.57065: P 1:29(28) ack
57 win 33304 <nop,nop,timestamp 2721904 5274694>
08:22:59.958772 IP crusher.nmn.cafn.57065 > picard.imap: . ack 29 win
33304 <nop,nop,timestamp 5274709 2721904>
08:23:02.661828 IP crusher.nmn.cafn.52164 > www.freebsd.org.http: S
4239655572:4239655572(0) win 65535 <mss 1460,nop,nop,sackOK>



Connecting to the Squid port that was forwarded to for transparent
proxying:

bash-2.05b$ telnet picard.nmn.cafn 3128
Trying 10.0.1.1...
Connected to picard.nmn.cafn.
Escape character is '^]'.


After deleting rule 3501, everything works (the connection also works
from picard) . . .

bash-2.05b$ telnet www.freebsd.org 80
Trying 216.136.204.117...
Connected to www.freebsd.org.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Mon, 06 Sep 2004 22:25:43 GMT
Server: Apache/1.3.x LaHonda (Unix)
Last-Modified: Mon, 30 Aug 2004 21:24:54 GMT
ETag: "26fc4c-8b7c-41339b26"
Accept-Ranges: bytes
Content-Length: 35708
Connection: close
Content-Type: text/html
X-Pad: avoid browser bug

Connection closed by foreign host.

-- 
Alastair D'Silva           mob: 0423 762 819
Networking Consultant      fax: 0413 181 661
New Millennium Networking  web: http://www.newmillennium.net.au