From owner-freebsd-ipfw Mon Mar 4 21:37:20 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from rwcrmhc54.attbi.com (rwcrmhc54.attbi.com [216.148.227.87]) by hub.freebsd.org (Postfix) with ESMTP id 6E51737B400 for ; Mon, 4 Mar 2002 21:37:15 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc54.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020305053714.ICNF1214.rwcrmhc54.attbi.com@blossom.cjclark.org>; Tue, 5 Mar 2002 05:37:14 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g255bDm89444; Mon, 4 Mar 2002 21:37:13 -0800 (PST) (envelope-from cjc) Date: Mon, 4 Mar 2002 21:37:13 -0800 From: "Crist J. Clark" To: Jeff Koftinoff Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Transparent proxy for connections originating on localhost Message-ID: <20020304213713.N87533@blossom.cjclark.org> References: <44895D20-2F88-11D6-BBFC-003065709198@jdkoftinoff.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jeffkoftinoff@mac.com on Mon, Mar 04, 2002 at 01:13:22PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Mar 04, 2002 at 01:13:22PM -0800, Jeff Koftinoff wrote: > > I'm sorry if this is a dumb question (or a duplicate msg), but I am > having a weird problem with ipfw. I am using mac-osx, but I know that > all the cool ipfw gurus are probably here on freebsd-ipfw. > > I am able to get a transparent proxy working for other computers on my > lan with the line: > > My computer's ip is 192.168.147.12 > I am running apache on 192.168.147.12:80 and another server on > 127.0.0.1:9999 > > /sbin/ipfw add 1010 fwd 127.0.0.1,9999 tcp from 192.168.147.0/24 to any > 80 > > When 192.168.147.2 tries to connect to 192.168.147.12:80, the connection > properly gets redirected to 127.0.0.1:9999. Works fine. > > But when 192.168.147.12 tries to connect to 192.168.147.12:80, the > connection hangs and does not get redirected to 127.0.0.1:9999 - the > server at 127.0.0.1:9999 does not even see the incoming connection. > However the packets must be matching the fw rule because with this fw > rule in place 192.168.147.12 is unable to get to the apache server on > port 80. > > Is there some trick to this or am I doing something stupid? I have no idea what version of ipfw(8) is running on OS X. Up until _very_ recently (way too recently to be in OS X), 'fwd' rules only applied to outgoing packets (this is documented in ipfw(8)). When the local machine is communicating with itself, packets are never outgoing. They would never get 'fwd'ed. > All I want > is for all web accesses done by programs on the local machine to be > redirected to the transparent proxy on the local machine. Only one > machine would be involved. Or should I be looking into 'divert' > sockets? Where would I learn more about those? Nope. 'fwd' is the right way to go for transparent proxying. But a webserver running on the same machine with the proxy won't work. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message