Date: Thu, 05 Nov 2009 00:56:25 -0800 From: Julian Elischer <julian@elischer.org> To: Jakub Bednar <jakub.bednar@avg.com> Cc: "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org> Subject: Re: Diverting sockets and streams Message-ID: <4AF29339.3050102@elischer.org> In-Reply-To: <AD265B12-EE7D-40FF-BE80-D41FF024DD51@avg.com> References: <1257352643.7731.8.camel@dell> <4AF1BD8E.207@elischer.org> <AD265B12-EE7D-40FF-BE80-D41FF024DD51@avg.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Jakub Bednar wrote: > Hi Julian, > > thanks for making this clear to me. > >> >>> >>> so basically I have to implement part of the TCP stack in my app. >> >> yes, >> though there may be other ways to do what you want.. >> what DO you want to do? >> > > I need to make a transparent proxy e.g. HTTP proxy, that will be able to > scan the data stream for some security problems (exploits or whatever). > > I had a solution based on packet forwarding and packet UID matching > rather then divert sockets. This solution works fine on FreeBSD, Linux > and Mac OS X Leopard. Hovewer in the new Mac OS X Snow Leopard, > forwarding outgoing packets to local port does not work. So I'm looking > for another solution. sounds like the broke it.. maybe they inherited a change from FreeBSD that was reverted out but existed for one release, that broke exactly that :-) ipfw fwd along with fwd uid is the way to do this on FreeBSD but snow leopard IS a problem. doing it with divert is going to be a real pain. you can also do this with nat in some cases I think.. > > Jakub
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AF29339.3050102>