Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 23 Jun 2005 10:57:23 +0800
From:      "fooler" <fooler@skyinet.net>
To:        <freebsd-net@freebsd.org>, "Ryan Rathje " <mrsharky@iastate.edu>
Subject:   Re: Transparent Squid 2.5Stable10 + FreeBSD 5.4
Message-ID:  <0a3701c5779f$4b023b30$42764eca@ilo.skyinet.net>
References:  <3933822510531721@webmail.iastate.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
----- Original Message ----- 
From: "Ryan Rathje " <mrsharky@iastate.edu>
To: <freebsd-net@freebsd.org>
Sent: Wednesday, June 22, 2005 9:33 PM
Subject: Transparent Squid 2.5Stable10 + FreeBSD 5.4


> Fooler,
>   Thanks for the suggestion thus far, it did clear some up.  When I use
your
> suggestion of:
>
> ipfw add fwd 127.0.0.1,3128 tcp from any to any 80 in via em0
>
> 1 FreeBSD configured as a gateway with 2 nics
> sis0 - outside world nic
> em0 - internal network nic
>
> it appears to have some communication, but not all.  Here's what I mean:
This
> is the output from ethereal when trying to visit the google website:
>
> 192.168.1.5 -> 216.239.39.99  TCP  3694 > http [SYN] seq=0 ack=0 win=16384
> Len=0 MSS=1460
> 216.239.39.99 -> 192.168.1.5  TCP  http > 3694 [SYN, ACK] seq=0 ack=1
> win=16384 Len=0 MSS=1460
> 192.168.1.5 -> 216.239.39.99  TCP  3694 > http [ACK] seq=1 ack=1 win=17520
> Len=0
> 192.168.1.5 -> 216.239.39.99  HTTP GET / HTTP/1.1
> 216.239.39.99 -> 192.168.1.5  TCP  http > 3694 [FIN, ACK] seq=1 ack=300
> win=65535 Len=0
> 192.168.1.5 -> 216.239.39.99  TCP  3694 > http [ACK] seq=300 ack=2
win=17520
> Len=0
> 192.168.1.5 -> 216.239.39.99  TCP  3694 > http [FIN, ACK] seq=300 ack=2
> win=17520 Len=0
> 216.239.39.99 -> 192.168.1.5  TCP  http > 3694 [ACK] seq=2 ack=301
win=65534
> Len=0

first... there is no transparent proxy (or http hijacking) took place
because your client (192.168.1.5) is the one who fetch the google website
instead your proxy server...

second... although client is successfully communicate with google web
server.. it is clearly a violation of RFC 1918.. where it says that the
private ip address is only routable within your controlled domain.. .once it
gets out from your controlled domain.. it must be drop... (disregard this
statement if you do NAT where ethereal interpret the packets above after the
network address translation)

show me what "ipfw show" and "netstat -an|grep LISTEN" say...

fooler.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0a3701c5779f$4b023b30$42764eca>