Date: Mon, 9 Jun 2003 02:02:04 +0300 From: Ruslan Ermilov <ru@freebsd.org> To: Vaclav Petricek <petricek@sec.ms.mff.cuni.cz> Cc: security@freebsd.org Subject: Re: redirect unauthorized users to a login page (natd as a transparent proxy) Message-ID: <20030608230204.GB88799@sunbay.com> In-Reply-To: <20030608220507.GA84706@sunbay.com> References: <Pine.BSF.4.50.0306082233300.86521-100000@sec.ms.mff.cuni.cz> <20030608220507.GA84706@sunbay.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--YToU2i3Vx8H2dn7O Content-Type: multipart/mixed; boundary="ZwgA9U+XZDXt4+m+" Content-Disposition: inline --ZwgA9U+XZDXt4+m+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jun 09, 2003 at 01:05:07AM +0300, Ruslan Ermilov wrote: > On Sun, Jun 08, 2003 at 10:35:47PM +0200, Vaclav Petricek wrote: > >=20 > > Hello > >=20 > > I am trying to redirect all http traffic of unauthorized wifi users on a > > wireless hotspot to a login page. The problem I have is that I can not > > disable the regular address translation (I want the source address to s= tay > > the same). > >=20 > > 10.0.0.7 is the wifi client > > 195.250.155.29 is the web wifi user tries to access from his browser > > 195.113.17.94 is my login page > > 10.0.0.1 is the wifi interface on the server > >=20 > > What happens is > >=20 > > In [TCP] [TCP] 10.0.0.7:1036 -> 195.250.155.29:80 aliased to > > [TCP] 10.0.0.1:1036 -> 195.113.17.94:80 > >=20 > > The natd configuration file: > > -----------------------------------------------------------------------= -- > > interface wi0 > > port 1234 > > #proxy_only yes > > reverse > > proxy_rule port 80 server 195.113.17.94:80 > > -----------------------------------------------------------------------= -- > >=20 > > Natd was run as natd -f /etc/natd.conf -v with > > 00010 divert 1234 tcp from any to any via wi0 > >=20 > > I was hoping proxy_only will do the trick but it does not seem to have > > any impact and the source address is changed anyway. > >=20 > > A quick glance at the source did not help much to my understanding of t= he > > proxy_only option. > >=20 > Confirmed as a bug. The attached patch worked for me, > please test it. You'll have to recompile and reinstall > libalias(3), then recompile and reinstall natd(8) with > new library. >=20 I was too fast. This patch doesn't work well. It works in a sense that it doesn't modify source IP address of the proxied packets, but it doesn't work in a sense that reply packets do not undergo de-aliasing. The attached patch is verified to work. Please test it instead. Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software Ltd, ru@FreeBSD.org FreeBSD committer --ZwgA9U+XZDXt4+m+ Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=p Content-Transfer-Encoding: quoted-printable Index: alias.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/lib/libalias/alias.c,v retrieving revision 1.36 diff -u -p -r1.36 alias.c --- alias.c 23 Jul 2002 00:16:19 -0000 1.36 +++ alias.c 8 Jun 2003 22:38:36 -0000 @@ -1425,6 +1425,10 @@ PacketAliasOut(char *ptr, /* v SetDefaultAliasAddress(pip->ip_src); } } + else if (packetAliasMode & PKT_ALIAS_PROXY_ONLY) + { + SetDefaultAliasAddress(pip->ip_src); + } =20 iresult =3D PKT_ALIAS_IGNORED; if ((ntohs(pip->ip_off) & IP_OFFMASK) =3D=3D 0) --ZwgA9U+XZDXt4+m+-- --YToU2i3Vx8H2dn7O Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+48BsUkv4P6juNwoRAgg6AJ4uk9DZ04rH04FOGBLpwmSOl2wPfQCeOKXQ QRdYCO2xl05lmisN4l0oYHo= =XF6c -----END PGP SIGNATURE----- --YToU2i3Vx8H2dn7O--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030608230204.GB88799>