Date: Mon, 9 Jun 2003 02:02:04 +0300 From: Ruslan Ermilov <ru@freebsd.org> To: Vaclav Petricek <petricek@sec.ms.mff.cuni.cz> Cc: security@freebsd.org Subject: Re: redirect unauthorized users to a login page (natd as a transparent proxy) Message-ID: <20030608230204.GB88799@sunbay.com> In-Reply-To: <20030608220507.GA84706@sunbay.com> References: <Pine.BSF.4.50.0306082233300.86521-100000@sec.ms.mff.cuni.cz> <20030608220507.GA84706@sunbay.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--YToU2i3Vx8H2dn7O
Content-Type: multipart/mixed; boundary="ZwgA9U+XZDXt4+m+"
Content-Disposition: inline
--ZwgA9U+XZDXt4+m+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Jun 09, 2003 at 01:05:07AM +0300, Ruslan Ermilov wrote:
> On Sun, Jun 08, 2003 at 10:35:47PM +0200, Vaclav Petricek wrote:
> >=20
> > Hello
> >=20
> > I am trying to redirect all http traffic of unauthorized wifi users on a
> > wireless hotspot to a login page. The problem I have is that I can not
> > disable the regular address translation (I want the source address to s=
tay
> > the same).
> >=20
> > 10.0.0.7 is the wifi client
> > 195.250.155.29 is the web wifi user tries to access from his browser
> > 195.113.17.94 is my login page
> > 10.0.0.1 is the wifi interface on the server
> >=20
> > What happens is
> >=20
> > In [TCP] [TCP] 10.0.0.7:1036 -> 195.250.155.29:80 aliased to
> > [TCP] 10.0.0.1:1036 -> 195.113.17.94:80
> >=20
> > The natd configuration file:
> > -----------------------------------------------------------------------=
--
> > interface wi0
> > port 1234
> > #proxy_only yes
> > reverse
> > proxy_rule port 80 server 195.113.17.94:80
> > -----------------------------------------------------------------------=
--
> >=20
> > Natd was run as natd -f /etc/natd.conf -v with
> > 00010 divert 1234 tcp from any to any via wi0
> >=20
> > I was hoping proxy_only will do the trick but it does not seem to have
> > any impact and the source address is changed anyway.
> >=20
> > A quick glance at the source did not help much to my understanding of t=
he
> > proxy_only option.
> >=20
> Confirmed as a bug. The attached patch worked for me,
> please test it. You'll have to recompile and reinstall
> libalias(3), then recompile and reinstall natd(8) with
> new library.
>=20
I was too fast. This patch doesn't work well. It works
in a sense that it doesn't modify source IP address of
the proxied packets, but it doesn't work in a sense that
reply packets do not undergo de-aliasing. The attached
patch is verified to work. Please test it instead.
Cheers,
--=20
Ruslan Ermilov Sysadmin and DBA,
ru@sunbay.com Sunbay Software Ltd,
ru@FreeBSD.org FreeBSD committer
--ZwgA9U+XZDXt4+m+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=p
Content-Transfer-Encoding: quoted-printable
Index: alias.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/lib/libalias/alias.c,v
retrieving revision 1.36
diff -u -p -r1.36 alias.c
--- alias.c 23 Jul 2002 00:16:19 -0000 1.36
+++ alias.c 8 Jun 2003 22:38:36 -0000
@@ -1425,6 +1425,10 @@ PacketAliasOut(char *ptr, /* v
SetDefaultAliasAddress(pip->ip_src);
}
}
+ else if (packetAliasMode & PKT_ALIAS_PROXY_ONLY)
+ {
+ SetDefaultAliasAddress(pip->ip_src);
+ }
=20
iresult =3D PKT_ALIAS_IGNORED;
if ((ntohs(pip->ip_off) & IP_OFFMASK) =3D=3D 0)
--ZwgA9U+XZDXt4+m+--
--YToU2i3Vx8H2dn7O
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE+48BsUkv4P6juNwoRAgg6AJ4uk9DZ04rH04FOGBLpwmSOl2wPfQCeOKXQ
QRdYCO2xl05lmisN4l0oYHo=
=XF6c
-----END PGP SIGNATURE-----
--YToU2i3Vx8H2dn7O--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030608230204.GB88799>