From owner-freebsd-ipfw@FreeBSD.ORG  Thu Nov  5 08:56:26 2009
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D7B7F1065695
	for <freebsd-ipfw@freebsd.org>; Thu,  5 Nov 2009 08:56:26 +0000 (UTC)
	(envelope-from julian@elischer.org)
Received: from outD.internet-mail-service.net (outd.internet-mail-service.net
	[216.240.47.227])
	by mx1.freebsd.org (Postfix) with ESMTP id BEEE38FC18
	for <freebsd-ipfw@freebsd.org>; Thu,  5 Nov 2009 08:56:26 +0000 (UTC)
Received: from idiom.com (mx0.idiom.com [216.240.32.160])
	by out.internet-mail-service.net (Postfix) with ESMTP id B1998CE0AA;
	Thu,  5 Nov 2009 00:56:26 -0800 (PST)
X-Client-Authorized: MaGic Cook1e
X-Client-Authorized: MaGic Cook1e
Received: from julian-mac.elischer.org
	(h-67-100-89-137.snfccasy.static.covad.net [67.100.89.137])
	by idiom.com (Postfix) with ESMTP id 3FBFC2D601E;
	Thu,  5 Nov 2009 00:56:26 -0800 (PST)
Message-ID: <4AF29339.3050102@elischer.org>
Date: Thu, 05 Nov 2009 00:56:25 -0800
From: Julian Elischer <julian@elischer.org>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: Jakub Bednar <jakub.bednar@avg.com>
References: <1257352643.7731.8.camel@dell> <4AF1BD8E.207@elischer.org>
	<AD265B12-EE7D-40FF-BE80-D41FF024DD51@avg.com>
In-Reply-To: <AD265B12-EE7D-40FF-BE80-D41FF024DD51@avg.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org>
Subject: Re: Diverting sockets and streams
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Nov 2009 08:56:26 -0000

Jakub Bednar wrote:
> Hi Julian,
> 
>                   thanks for making this clear to me.
> 
>>
>>>
>>> so basically I have to implement part of the TCP stack in my app.
>>
>> yes,
>> though there may be other ways to do what you want..
>> what DO you want to do?
>>
> 
> I need to make a transparent proxy e.g. HTTP proxy, that will be able to 
> scan the data stream for some security problems (exploits or whatever).
> 
> I had a solution based on packet forwarding and packet UID matching 
> rather then divert sockets. This solution works fine on FreeBSD, Linux 
> and Mac OS X Leopard. Hovewer in the new Mac OS X Snow Leopard, 
> forwarding outgoing packets to local port does not work. So I'm looking 
> for another solution.

sounds like the broke it..

maybe they inherited a change from FreeBSD that was reverted out but 
existed for one release, that broke exactly that :-)

ipfw fwd
along with fwd uid
is the way to do this on FreeBSD but snow leopard IS a problem.

doing it with divert is going to be a real pain.


you can also do this with nat in some cases I think..


> 
> Jakub