Date: Tue, 08 Jan 2008 23:13:19 +0100 From: Andre Oppermann <andre@freebsd.org> To: Adrian Chadd <adrian@freebsd.org> Cc: Perforce Change Reviews <perforce@freebsd.org> Subject: Re: PERFORCE change 132710 for review Message-ID: <4783F57F.7010201@freebsd.org> In-Reply-To: <d763ac660801071810i1a20eaf9if59e265a0527e04e@mail.gmail.com> References: <200801071418.m07EIwNn036146@repoman.freebsd.org> <4782A21C.2060504@freebsd.org> <d763ac660801071810i1a20eaf9if59e265a0527e04e@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Adrian Chadd wrote: > On 08/01/2008, Andre Oppermann <andre@freebsd.org> wrote: > >> Reinventing the wheel? Have a look at IPFIREWALL_FORWARD >> which supports transparent proxying as well. > > Yes, but redirects it to a local listen() socket, effectively spoofing > the destination IP. The client (ie, the computer making the connect()) > thinks its talking to the original destination. > > This is meant to implement the other end - spoofing the local IP on > sockets that you connect() to, spoofing the local IP and not the > destination IP. This is intended to let a FreeBSD box (with relevant > symmetrical routing) pretend to be a client on a connect() to a remote > server. > > If this can be done within pf/ipfw right now then please let me know. :) The IPFIREWALL_FORWARD functionality should be able to do that as well. The direction of the spoof capture doesn't really matter as long as you reverse the rule from the traditional transparent proxy example. The only missing piece is binding a local socket to a non- local IP address. That you have to address in netinet/in_pcb.c either with global sysctl or a individual socket option. Should only take a dozen lines or less to do that (including the sysctl or socket option code). -- Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4783F57F.7010201>