Date: Mon, 4 Feb 2002 10:07:22 -0500 (EST) From: Greg Prosser <greg@straynet.com> To: "Jacques A. Vidrine" <n@nectar.cc> Cc: Mike Tancsa <mike@sentex.net>, Ruslan Ermilov <ru@FreeBSD.ORG>, <stable@FreeBSD.ORG>, Warner Losh <imp@FreeBSD.ORG> Subject: Re: dropping 127.* on the floor Message-ID: <20020204100307.F12914-100000@voyager.straynet.com> In-Reply-To: <20020204143758.GA28243@madman.nectar.cc>
next in thread | previous in thread | raw e-mail | index | archive | help
on Mon, 4 Feb 2002, Jacques A. Vidrine babbled .. ;; On Mon, Feb 04, 2002 at 09:29:08AM -0500, Mike Tancsa wrote: ;; > At 08:12 AM 2/4/02 -0600, Jacques A. Vidrine wrote: ;; > ;; > >See the Bugtraq archives for the thread starting with Message-ID: ;; > ><3AA3ECAB.EA826D28@thebunker.net>, subject ``Loopback and multi-homed ;; > >routing flaw in TCP/IP stack.'' for the reasons behind this change. ;; > >The following URL might work. ;; > > ;; > ><URL:http://www.securityfocus.com/cgi-bin/archive.pl?id=1&mid=3AA3ECAB.EA826D28@thebunker.net>; ;; > ;; > What if this were dealt as part of firewall rules ? i.e. GENERIC was built ;; > by default with IPFIREWALL and firewall_enable="YES" and ;; > firewall_type="OPEN" were set. That way the behavior that people have come ;; > to rely on is still there for those that need it. ;; > ;; > I have not tested this yet with my production transparent proxies but I ;; > will try so later today to see if the behavior is broken as a number of ;; > people have reported. ;; ;; We are talking about two different things: ip_input.c and ip_output.c. ;; The recent change to ip_output.c is what might break your transparent ;; proxy. Above I am talking about the year-old change to ip_input.c. According to the squid FAQ[1], they recommend using ipfw fwd rules diverting traffic to 127.0.0.1 to transparently insert the cache server. This behaviour is now broken, as ipfw rewrites the packet before it hits the network stack, as does ipf, and both end up dropped. I've tested and confirmed this on 4.5-STABLE, the rules in the FAQ did not work for me. -gnp [1] squid FAQ URL: http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.8 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020204100307.F12914-100000>