Date: Sun, 2 Sep 2007 22:01:10 +1000 From: Norberto Meijome <freebsd@meijome.net> To: FreeBSD Net ML <freebsd-net@freebsd.org> Subject: SOLUTION + Patch to: pf rdr + netsed : reinject loop... Message-ID: <20070902220110.5c494bea@localhost> In-Reply-To: <20070831202729.7e4c0f7a@localhost> References: <20070831202729.7e4c0f7a@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 31 Aug 2007 20:27:29 +1000 Norberto Meijome <freebsd@meijome.net> wrote: > Hello everyone, I need your help / insight here :) Mel (fbsd.questions at rachie.is-a-geek.net ) has very kindly and cleverly provided a neat solution for this problem. It was posted to Question@, and it can be found here : http://lists.freebsd.org/pipermail/freebsd-questions/2007-August/156901.html thanks everyone for your help! B > > My setup, 2 VMs, XP (WinXP) and BSD (FreeBSD 6.2) > > [XP ,172.16.82.81 ] --- [172.16.82.81,em1 BSD A.B.C.D,em0] --- The Interweb ---- [Other_servers_galore] > > A.B.C.D is a public IP. > > [Other_servers_galore] represents all and any servers XP wants to talk to . I really don't know either port or IP of these servers. > > BSD is performing as gateway for XP , with NAT on em0 using pf. > > I want to replace certain bytes (FOO) in TCP packets between XP and [Other_servers_galore] for other bytes (BAR). Vlad Galu pointed out that net/netsed can help with this (with overhead, i know, this is only a test ). (Thanks again! ) > > so what I have setup : > > 1) pf.conf has : > ---- > ext_if="em0" > int_if="em1" > nat on $ext_if from $internal_net to any -> ($ext_if) > rdr on $int_if proto tcp from 172.16.82.81 to any -> 127.0.0.1 port 10101 > ----- > 2) I run netsed in transparent proxy mode as : > > netsed tcp 10101 0 0 s/FOO/BAR > > --- > The traffic from XP gets redirected just fine to netsed, which replaces the bytes just fine. BUT the changed packets (the output of netsed) get reinjected somewhere so that the rdr hits them again, sending them back to netsed ad infinitum. ( yes, i managed to hit a load of 700+ without anything ever leaving BSD ...quite cool) > > Now, netsed works just fine in that setup if I define the IP, eg : > pf.conf : > ext_if="em0" > int_if="em1" > nat on $ext_if from $internal_net to any -> ($ext_if) > rdr on $int_if proto tcp from 172.16.82.81 to O.P.Q.R -> 127.0.0.1 port 10101 > > netsed : > netsed tcp 10101 O.P.Q.R 0 s/FOO/BAR > > traffic goes to the external server O.P.Q.R ... but this was just a proof of concept, as I really can't tell the remote IPs in advance > > How do I modify this setup so that netsed packets aren't caught again by pf's rdr and sent back into netsed ? I'm happy to try other tools / setups... > > thanks for your time and any help you can provide :) > B _________________________ {Beto|Norberto|Numard} Meijome Commitment is active, not passive. Commitment is doing whatever you can to bring about the desired result. Anything less is half-hearted. I speak for myself, not my employer. Contents may be hot. Slippery when wet. Reading disclaimers makes you go blind. Writing them is worse. You have been Warned.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070902220110.5c494bea>