Date: Mon, 4 Mar 2002 21:37:13 -0800 From: "Crist J. Clark" <cjc@FreeBSD.ORG> To: Jeff Koftinoff <jeffkoftinoff@mac.com> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Transparent proxy for connections originating on localhost Message-ID: <20020304213713.N87533@blossom.cjclark.org> In-Reply-To: <A8AA5BD2-2FB4-11D6-BBFC-003065709198@mac.com>; from jeffkoftinoff@mac.com on Mon, Mar 04, 2002 at 01:13:22PM -0800 References: <44895D20-2F88-11D6-BBFC-003065709198@jdkoftinoff.com> <A8AA5BD2-2FB4-11D6-BBFC-003065709198@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Mar 04, 2002 at 01:13:22PM -0800, Jeff Koftinoff wrote:
>
> I'm sorry if this is a dumb question (or a duplicate msg), but I am
> having a weird problem with ipfw. I am using mac-osx, but I know that
> all the cool ipfw gurus are probably here on freebsd-ipfw.
>
> I am able to get a transparent proxy working for other computers on my
> lan with the line:
>
> My computer's ip is 192.168.147.12
> I am running apache on 192.168.147.12:80 and another server on
> 127.0.0.1:9999
>
> /sbin/ipfw add 1010 fwd 127.0.0.1,9999 tcp from 192.168.147.0/24 to any
> 80
>
> When 192.168.147.2 tries to connect to 192.168.147.12:80, the connection
> properly gets redirected to 127.0.0.1:9999. Works fine.
>
> But when 192.168.147.12 tries to connect to 192.168.147.12:80, the
> connection hangs and does not get redirected to 127.0.0.1:9999 - the
> server at 127.0.0.1:9999 does not even see the incoming connection.
> However the packets must be matching the fw rule because with this fw
> rule in place 192.168.147.12 is unable to get to the apache server on
> port 80.
>
> Is there some trick to this or am I doing something stupid?
I have no idea what version of ipfw(8) is running on OS X. Up until
_very_ recently (way too recently to be in OS X), 'fwd' rules only
applied to outgoing packets (this is documented in ipfw(8)). When the
local machine is communicating with itself, packets are never
outgoing. They would never get 'fwd'ed.
> All I want
> is for all web accesses done by programs on the local machine to be
> redirected to the transparent proxy on the local machine. Only one
> machine would be involved. Or should I be looking into 'divert'
> sockets? Where would I learn more about those?
Nope. 'fwd' is the right way to go for transparent proxying. But a
webserver running on the same machine with the proxy won't work.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020304213713.N87533>