Date: Thu, 27 Dec 2001 16:20:58 -0800 (PST) From: Henry Su <henrysu@nttmcl.com> To: Julian Elischer <julian@elischer.org> Cc: freebsd-net@FreeBSD.ORG Subject: RE: socket call in the kernel Message-ID: <Pine.BSI.4.05L.10112271613450.28832-100000@alicia.nttmcl.com> In-Reply-To: <Pine.BSF.4.21.0112271057040.84622-100000@InterJet.elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
**************
Henry Su *
NTT MCL *
**************
On Thu, 27 Dec 2001, Julian Elischer wrote:
>
>
>
>
> On Thu, 27 Dec 2001, Henry Su wrote:
>
> > Thanks a lot Julian. Please let me know if u need more info.
> >
> >
> > My goal is using test2 as authentication server, when http request pass
> > through test2 box, test2 will redirect to an authentication url on itself.
> >
> > _________ ___________________
> > | |crossover cable | |
> > |test1 |---------------->|test2(ipfw,proxy) |----->router->Internet
> > |_________| |__________________|
> X.1.1.3 X.1.1.2
>
>
> >
> >
> > test2 has ipfw and a proxy server for redirection, it is configured as a
> > bridge, one interface has ip address, one interface does not, which test1 is
> > connected to.
>
> Assume dc1 on the router side of test2
> and dc2 on the crossover side of test2
That's good one.
> is the router doing nat?
No.
> is X.x.x.x. a routable address?
Yes
> I presume that X.1.1.3 AND X.1.1.2 are on the same logical net.
> Are they both routable addresses?
>
Yes
> firstly, bridging is a new factor. you didn't mention that before..
> I am not sure how bridging will interract with everything else.
>
> What does netstat -aA show on test2? Is the server bound to an address?
> i.e. do you bind() the server to a particular address?
> if so which?
>
> Why are you bridging?
>
Because gateway needs ip on each interface, we do not want to do that. We
want only assign 1 ip on test2.
> do you want people on test1 to authenticate, or people coming in from the
> internet? (you need to specify what you want to redirect..)
>
people on test1. Assume test2 is access control server, test is a client
that want to get access.
>
> >
> >
> > The rule for forwarding is:
> >
> > #Forward no valid http packet to local authentication
> > ${fwcmd} add 65534 fwd localhost,8800 log tcp from any to any 80
> >
> >
> >
> > For example, here's 2 cases, one works, one failed.
> >
> > Failed case: from test1, "telnet www.yahoo.com 80", from the test2 ipfw log,
> > you can see the packet is forwarded (e.g "Dec 27 00:34:25 test2 /kernel:
> > ipfw: 65534 Forward to 127.0.0.1:8800 TCP 216.69.69.248:1101
> > 129.219.10.10:80 in via dc2").
> > but the proxy server on test2 seems did not get the forwarded packet.
> >
> > Worked case: from test1, "telnet test2 80", it just works. The proxy server
> > got the packet, and send redirection message to test1: "
>
> I wonder if someone has broken fwd?
> if you do the following:
> on test2, telnet localhost 80
> and
> telnet www.freebsd.org 80
>
> what happens?
>
[16:14:38][root@test2:~]$ telnet localhost 80
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
telnet: Unable to connect to remote host
[16:14:41][root@test2:~]$ telnet www.freebsd.org 80
Trying 216.136.204.21...
Connected to freefall.freebsd.org.
Escape character is '^]'.
123
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>501 Method Not Implemented</TITLE>
</HEAD><BODY>
<H1>Method Not Implemented</H1>
123 to /index.html not supported.<P>
Invalid method in request 123<P>
<HR>
<ADDRESS>Apache/1.3.x Gualala Server at www.freebsd.org Port 80</ADDRESS>
</BODY></HTML>
Connection closed by foreign host.
> >
> > My guess is:
> >
> > The proxy socket server can only listen to packet's dst ip address that
> > matches its own ip address. The proxy server is written by myself, it's java
> > socket server, when it receive any packet at port 8800, it sends back some
> > http redirection
> > information.
> >
>
> No the address that the server will be matched against is the
> address in the fwd rule, and not the address in the packet.
>
> roughly it does:
>
> tempaddr = address_from_packet
> if (ipfw matches a fwd rule)
> tempaddr = address_in_rule
> find socket that matches tempaddr.
>
> It could be that the bridging is somehow confusing the forwarding..
>
That's right. Does a socket server care about a packet's dst ip? If a
packet's dst ip is not matched, the proxy server will drop it?
Thanks.
>
> >
> >
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-net" in the body of the message
> >
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message
>
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.4.05L.10112271613450.28832-100000>