Date: Fri, 11 Mar 2005 14:44:39 -0800 From: Julian Elischer <julian@elischer.org> To: Julian Elischer <julian@elischer.org> Cc: current@freebsd.org Subject: Re: Transparent proxy feature? Message-ID: <42321F57.9060708@elischer.org> In-Reply-To: <42321E4F.9020904@elischer.org> References: <20050311223413.GA5126@mimoza.pantel.net> <42321E4F.9020904@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
responding to myself to add more.. Julian Elischer wrote: > > > Antal Rutz wrote: > >> Hi, >> >> Nowadays I have to use a special firewall software ('zorp') but >> unfortunately it only runs on linux. the reason is that only linux >> has the feature (transparent proxying) to listen on/send packets >> (sourcing) >> from other IP addresses than the machine has. (maybe with an extra kmod) >> >> The developers told me that they aren't familiar with FreeBSD but would >> port their software to it if the OS had support for that t-proxy. >> >> The question is: Is there any plan to support that thing (maybe through >> ipfw, pf or ipfilter - no idea) or is that too sick? >> >> > > There is already transparrent proxy support in FreeBSD and ahs been > for manyu years. > > it is accessed through the ipfw "fwd" option.. > > ipfw add fwd localhost,1234 tcp from {somewhere} to (somewhere) {via > some interface} > > Here's the man entry for that feature. > > fwd | forward ipaddr[,port] > Change the next-hop on matching packets to ipaddr, which > can be > an IP address in dotted quad format or a host name. The > search > terminates if this rule matches. > > If ipaddr is a local address, then matching packets will > be for- > warded to port (or the port number in the packet if one is > not > specified in the rule) on the local machine. > If ipaddr is not a local address, then the port number (if > speci- > fied) is ignored, and the packet will be forwarded to the > remote > address, using the route as found in the local routing > table for > that IP. > A fwd rule will not match layer-2 packets (those received on > ether_input, ether_output, or bridged). > The fwd action does not change the contents of the packet > at all. > In particular, the destination address remains unmodified, so > packets forwarded to another system will usually be > rejected by > that system unless there is a matching rule on that system to > capture them. For packets forwarded locally, the local > address > of the socket will be set to the original destination > address of > the packet. This makes the netstat(1) entry look rather > weird > but is intended for use with transparent proxy servers. The proxy software need only do a getsockname() to get the sockaddr to use for the forward connection. The ipfw rules need to be set so that the outgoing forward connection by the proxy is not also captured :-) > >> thanks alot. >> >> > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to > "freebsd-current-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42321F57.9060708>