Re: tproxy on freebsd
Adrian Chadd wrote: I'm talking to someone about it who has some patches against -current. We'll see what can be done. Thankfully! The solution for FreeBSD looks doable without having to keep NAT state like TPROXY does.. Adrian just want to how's the progress regarding this issue. TIA Zen ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: tproxy on freebsd
zen wrote: Adrian Chadd wrote: I'm talking to someone about it who has some patches against -current. We'll see what can be done. Thankfully! The solution for FreeBSD looks doable without having to keep NAT state like TPROXY does.. Adrian sorry double post just want to _Know_ how's the progress regarding this issue. TIA Zen ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: tproxy on freebsd
real transparent proxy provided by Cisco's WCCP with, for example, Squid. this protocol detects HTTP (and so on) traffic on any port and redirects it to proxy-server. same thing (not just permanent redirection of port 80 to proxy but *DETECTING* HTTP traffic and proxying it) can be achived by TrafficInspector for Windows. do you know such thing for *nix systems? thanx. 2007/4/19, zen [EMAIL PROTECTED]: Adrian Chadd wrote: On 19/04/07, zen [EMAIL PROTECTED] wrote: if there is any such thing , i'm willing to be a tester . i will deploy it on my server and enviroment ( live one) I'm talking to someone about it who has some patches against -current. We'll see what can be done. i'm glad to hear that. can't wait to see and test it Thankfully! The solution for FreeBSD looks doable without having to keep NAT state like TPROXY does.. this is GREAT!! Adrian Regards Zen ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Re: tproxy on freebsd
On 12/23/-58 20:59, zen wrote: i don't have a problem with this but i am going to be setting up a similar setup and would appreciate the help a working setup would provide. any help will be appreciated, i could use a sample configuration file regarding this problem. zen others, building a transparent proxy using pf + squid is an easy topic and well documented on the net. In detail, it's going that way: pf (assuming nve0 is your local IF): rdr on nve0 from any to any port 80 - 127.0.0.1 port 3128 pass in on nve0 from any to any port 80 keep state pass in on nve0 from any to 127.0.0.1 port 3128 keep state Now, compile squid with transparent support and use: 'http_port 3128 transparent' in your squid.conf (assuming you're running squid = 2.6). I'm running several hosts with a setup like that. Also you may want to check out www/havp and use it as a transparent proxy + squid as upstream proxy. That way you also have virus protection for your internal users while surfing the web (I'm also doing things like that as I found it a better solution that squidclam or the like - YMMV). FYI i already running transparent proxy with ipf+ipnat,: rdr nve0 0.0.0.0/0 port 80 - 122.x.x.x port 3128 tcp but with that configuration, still the proxy ip address that visible when my client using the proxy. Don't understand that sentence. What address is visible to whom? And which address do you want to 'hide'? If you don't want to leak your internal addresses to any outside webserver, this is a squid issue and there should (?) be configuration options for squid. is it me or just i cant achieve that with FreeBSD? because i hate to switch to other OS only because of this. No need to switch! :) You may find tons of infos using google or in the ML archives [EMAIL PROTECTED] Also pf@ or isp@ would be the appropriate list for questions like that. HTH, Volker ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Re: tproxy on freebsd
On 18/04/07, Volker [EMAIL PROTECTED] wrote: but with that configuration, still the proxy ip address that visible when my client using the proxy. Don't understand that sentence. What address is visible to whom? And which address do you want to 'hide'? If you don't want to leak your internal addresses to any outside webserver, this is a squid issue and there should (?) be configuration options for squid. He means fully transparent - ie, client thinks its talking to the server; server thinks its talking to the client; proxy server IP isn't visible to either. Adrian -- Adrian Chadd - [EMAIL PROTECTED] ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: tproxy on freebsd
On 04/18/07 14:14, Adrian Chadd wrote: On 18/04/07, Volker [EMAIL PROTECTED] wrote: but with that configuration, still the proxy ip address that visible when my client using the proxy. Don't understand that sentence. What address is visible to whom? And which address do you want to 'hide'? If you don't want to leak your internal addresses to any outside webserver, this is a squid issue and there should (?) be configuration options for squid. He means fully transparent - ie, client thinks its talking to the server; server thinks its talking to the client; proxy server IP isn't visible to either. Adrian Adrian, thanks, I got it. Talking about real transparent proxy not just a transparent one... ;) Unfortunately I don't have a solution for that as I'm using mostly NATed environments and it doesn't make sense to hand out private address space to a web server. Volker ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: tproxy on freebsd
On Wed, Apr 18, 2007 at 02:25:32PM +0200, Volker wrote: On 04/18/07 14:14, Adrian Chadd wrote: On 18/04/07, Volker [EMAIL PROTECTED] wrote: but with that configuration, still the proxy ip address that visible when my client using the proxy. Don't understand that sentence. What address is visible to whom? And which address do you want to 'hide'? If you don't want to leak your internal addresses to any outside webserver, this is a squid issue and there should (?) be configuration options for squid. He means fully transparent - ie, client thinks its talking to the server; server thinks its talking to the client; proxy server IP isn't visible to either. Adrian Adrian, thanks, I got it. Talking about real transparent proxy not just a transparent one... ;) not sure i understand this one, a real transparent not just a tra.. Unfortunately I don't have a solution for that as I'm using mostly NATed environments and it doesn't make sense to hand out private address space to a web server. i was assigned a class c some 15 years ago and its getting used for all sorts of admin stuff/disabled user client stuff and other stuff that i cannot sort out 'netting/natting for' most kind regards and appreciations jonathan thanks all ... adrian volker and zen if i forgot somebody sorry. -- powered by .. QNX, OS9 and freeBSD -- http://caamora com au/operating system === appropriate solution in an inappropriate world === ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: tproxy on freebsd
Volker wrote: On 04/18/07 14:14, Adrian Chadd wrote: On 18/04/07, Volker [EMAIL PROTECTED] wrote: but with that configuration, still the proxy ip address that visible when my client using the proxy. Don't understand that sentence. What address is visible to whom? And which address do you want to 'hide'? If you don't want to leak your internal addresses to any outside webserver, this is a squid issue and there should (?) be configuration options for squid. He means fully transparent - ie, client thinks its talking to the server; server thinks its talking to the client; proxy server IP isn't visible to either. Adrian Adrian, thanks, I got it. Talking about real transparent proxy not just a transparent one... ;) Unfortunately I don't have a solution for that as I'm using mostly NATed environments and it doesn't make sense to hand out private address space to a web server. well actualy is not private address, i work for small ISP and the proxy supose to be caching all our clients requests. and it supose to be that our clients ip is visible to the server, not our proxy. i wish FreeBSD have solutions for this, just hate to discovered the weakness of FreeBSD. and most of all i hate to switch to other OS. Volker ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED] TIA Zen ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: tproxy on freebsd
Adrian Chadd wrote: A little birdie has told me that this mode of transparent client-spoofing is possible with FreeBSD with a little kernel hackery (much less than whats needed for TPROXY.) Maybe someone who knows the code better than I could comment on how difficult it'd be to add in functionality to FreeBSD to spoof the local IP of a connected socket for outbound connections. This of course assumes symmetric traffic flows but thats already a given in a setup like this. if there is any such thing , i'm willing to be a tester . i will deploy it on my server and enviroment ( live one) Adrian TIA Zen ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: tproxy on freebsd
On 19/04/07, zen [EMAIL PROTECTED] wrote: if there is any such thing , i'm willing to be a tester . i will deploy it on my server and enviroment ( live one) I'm talking to someone about it who has some patches against -current. We'll see what can be done. Thankfully! The solution for FreeBSD looks doable without having to keep NAT state like TPROXY does.. Adrian -- Adrian Chadd - [EMAIL PROTECTED] ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: tproxy on freebsd
Adrian Chadd wrote: On 19/04/07, zen [EMAIL PROTECTED] wrote: if there is any such thing , i'm willing to be a tester . i will deploy it on my server and enviroment ( live one) I'm talking to someone about it who has some patches against -current. We'll see what can be done. i'm glad to hear that. can't wait to see and test it Thankfully! The solution for FreeBSD looks doable without having to keep NAT state like TPROXY does.. this is GREAT!! Adrian Regards Zen ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
tproxy on freebsd
hi, i know it seem out of topic, i recently build a proxy server to serve our small ISP, but i'm facing a big problem. as far as i know FreeBSD didn't support TPROXY like linux had. but i need to build this proxy transparently so only my client ips that visible when browsing. i use ipnat and ipf with Squid latest stable release. does anyone has experience building a true transparent proxy with FreeBSD? please share the knowledge and the regarding this problems. TIA Zen ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: tproxy on freebsd
On Tuesday 17 April 2007 09:17, zen wrote: i know it seem out of topic, i recently build a proxy server to serve our small ISP, but i'm facing a big problem. as far as i know FreeBSD didn't support TPROXY like linux had. but i need to build this proxy transparently so only my client ips that visible when browsing. i use ipnat and ipf with Squid latest stable release. does anyone has experience building a true transparent proxy with FreeBSD? please share the knowledge and the regarding this problems. http://www.benzedrine.cx/transquid.html is a tutorial for OpenBSD + pf + squid, but almost the same steps are required for FreeBSD. If you build squid from the portstree you should enable: [X] SQUID_PF Enable transparent proxying with PF or [ ] SQUID_IPFILTER Enable transp. proxying with IPFilter if you want to stay with ipf + ipnat. -- /\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News pgpZyIWIlCfoJ.pgp Description: PGP signature
Re: tproxy on freebsd
On 2007-Apr-17 14:17:05 +0700, zen [EMAIL PROTECTED] wrote: does anyone has experience building a true transparent proxy with FreeBSD? please share the knowledge and the regarding this problems. Max beat me to answering but I use squid+IPfilter as a transparent proxy on my home firewall. The only problems I've run into are bugs in the IPfilter window handling code. -- Peter Jeremy pgpY0XtCZ7DMQ.pgp Description: PGP signature
Re: tproxy on freebsd
В сообщении от Tuesday 17 April 2007 11:17:05 zen написал(а): hi, i know it seem out of topic, i recently build a proxy server to serve our small ISP, but i'm facing a big problem. as far as i know FreeBSD didn't support TPROXY like linux had. but i need to build this proxy transparently so only my client ips that visible when browsing. i use ipnat and ipf with Squid latest stable release. does anyone has experience building a true transparent proxy with FreeBSD? please share the knowledge and the regarding this problems. TIA Zen ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED] Dear Zen I use transparent proxy on my home wi-fi network, and on work (ethernet lan) with pf+proxy on FreeBSD gateways without any problems... earlier I used ipfilter+proxy (for transparent proxing) also without problems. I can share my config (pf+proxy) if you need ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: tproxy on freebsd
alexander, list, sorry for posting to list, i tried to post to advertised mail address and my post bounced as user unknown. so i try here. On Tue, Apr 17, 2007 at 09:29:21PM +0400, Alexander Kuprijanov wrote: ÷ ÓÏÏÂÝÅÎÉÉ ÏÔ Tuesday 17 April 2007 11:17:05 zen ÎÁÐÉÓÁÌ(Á): I use transparent proxy on my home wi-fi network, and on work (ethernet lan) with pf+proxy on FreeBSD gateways without any problems... earlier I used ipfilter+proxy (for transparent proxing) also without problems. I can share my config (pf+proxy) if you need i don't have a problem with this but i am going to be setting up a similar setup and would appreciate the help a working setup would provide. sorry for my poor english and typing .. i am disabled. kind regards jonathan -- powered by .. QNX, OS9 and freeBSD -- http://caamora com au/operating system === appropriate solution in an inappropriate world === ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: tproxy on freebsd
jonathan michaels wrote: alexander, list, sorry for posting to list, i tried to post to advertised mail address and my post bounced as user unknown. so i try here. On Tue, Apr 17, 2007 at 09:29:21PM +0400, Alexander Kuprijanov wrote: ÷ ÓÏÏÂÝÅÎÉÉ ÏÔ Tuesday 17 April 2007 11:17:05 zen ÎÁÐÉÓÁÌ(Á): I use transparent proxy on my home wi-fi network, and on work (ethernet lan) with pf+proxy on FreeBSD gateways without any problems... earlier I used ipfilter+proxy (for transparent proxing) also without problems. I can share my config (pf+proxy) if you need i don't have a problem with this but i am going to be setting up a similar setup and would appreciate the help a working setup would provide. sorry for my poor english and typing .. i am disabled. kind regards jonathan any help will be appreciated, i could use a sample configuration file regarding this problem. FYI i already running transparent proxy with ipf+ipnat,: rdr nve0 0.0.0.0/0 port 80 - 122.x.x.x port 3128 tcp but with that configuration, still the proxy ip address that visible when my client using the proxy. is it me or just i cant achieve that with FreeBSD? because i hate to switch to other OS only because of this. anyway this what i found in the net, but only work on linux http://www.sanog.org/resources/sanog4-devdas-transproxy.pdf TIA Zen ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: tproxy on freebsd
On Wed, Apr 18, 2007 at 08:35:16AM +0700, zen wrote: jonathan michaels wrote: alexander, list, sorry for posting to list, i tried to post to advertised mail address and my post bounced as user unknown. so i try here. On Tue, Apr 17, 2007 at 09:29:21PM +0400, Alexander Kuprijanov wrote: ÷ ÓÏÏÂÝÅÎÉÉ ÏÔ Tuesday 17 April 2007 11:17:05 zen ÎÁÐÉÓÁÌ(Á): I use transparent proxy on my home wi-fi network, and on work (ethernet lan) with pf+proxy on FreeBSD gateways without any problems... earlier I used ipfilter+proxy (for transparent proxing) also without problems. I can share my config (pf+proxy) if you need i don't have a problem with this but i am going to be setting up a similar setup and would appreciate the help a working setup would provide. sorry for my poor english and typing .. i am disabled. kind regards jonathan any help will be appreciated, i could use a sample configuration file regarding this problem. FYI i already running transparent proxy with ipf+ipnat,: rdr nve0 0.0.0.0/0 port 80 - 122.x.x.x port 3128 tcp but with that configuration, still the proxy ip address that visible when my client using the proxy. is it me or just i cant achieve that with FreeBSD? because i hate to switch to other OS only because of this. anyway this what i found in the net, but only work on linux http://www.sanog.org/resources/sanog4-devdas-transproxy.pdf sorry my internet (web browser machine/webbrowser is offline) access is broken at moment .. i use lynx on a 486dx50, its 20 years old. will this work on centos v4 and/or debian v3.4 ??? i am setting up a compaq proliant 5500r as the network backbone, multi boot (freebsd v6, debian v3.4 and ms window 2003 server/professional). this is my fall back stratagy. much thanks and most kind regards jonathan -- powered by .. QNX, OS9 and freeBSD -- http://caamora com au/operating system === appropriate solution in an inappropriate world === ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: tproxy on freebsd
jonathan michaels wrote: On Wed, Apr 18, 2007 at 08:35:16AM +0700, zen wrote: jonathan michaels wrote: alexander, list, sorry for posting to list, i tried to post to advertised mail address and my post bounced as user unknown. so i try here. On Tue, Apr 17, 2007 at 09:29:21PM +0400, Alexander Kuprijanov wrote: ÷ ÓÏÏÂÝÅÎÉÉ ÏÔ Tuesday 17 April 2007 11:17:05 zen ÎÁÐÉÓÁÌ(Á): I use transparent proxy on my home wi-fi network, and on work (ethernet lan) with pf+proxy on FreeBSD gateways without any problems... earlier I used ipfilter+proxy (for transparent proxing) also without problems. I can share my config (pf+proxy) if you need i don't have a problem with this but i am going to be setting up a similar setup and would appreciate the help a working setup would provide. sorry for my poor english and typing .. i am disabled. kind regards jonathan any help will be appreciated, i could use a sample configuration file regarding this problem. FYI i already running transparent proxy with ipf+ipnat,: rdr nve0 0.0.0.0/0 port 80 - 122.x.x.x port 3128 tcp but with that configuration, still the proxy ip address that visible when my client using the proxy. is it me or just i cant achieve that with FreeBSD? because i hate to switch to other OS only because of this. anyway this what i found in the net, but only work on linux http://www.sanog.org/resources/sanog4-devdas-transproxy.pdf sorry my internet (web browser machine/webbrowser is offline) access is broken at moment .. i use lynx on a 486dx50, its 20 years old. will this work on centos v4 and/or debian v3.4 ??? i am setting up a compaq proliant 5500r as the network backbone, multi boot (freebsd v6, debian v3.4 and ms window 2003 server/professional). this is my fall back stratagy. much thanks and most kind regards jonathan i think so, it work on most of linux machine depend on your linux kernel. here is the patch for the kernel : http://www.balabit.com/downloads/tproxy/ but if i cand choose linux or FreeBSD i preferred FreeBSD ( i'm a FreeBSD die hard user). that's why i ask the people here, maybe they have solutions regarding this problems. TIA Zen ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: tproxy on freebsd
On 18/04/07, zen [EMAIL PROTECTED] wrote: i think so, it work on most of linux machine depend on your linux kernel. here is the patch for the kernel : http://www.balabit.com/downloads/tproxy/ but if i cand choose linux or FreeBSD i preferred FreeBSD ( i'm a FreeBSD die hard user). that's why i ask the people here, maybe they have solutions regarding this problems. A little birdie has told me that this mode of transparent client-spoofing is possible with FreeBSD with a little kernel hackery (much less than whats needed for TPROXY.) Maybe someone who knows the code better than I could comment on how difficult it'd be to add in functionality to FreeBSD to spoof the local IP of a connected socket for outbound connections. This of course assumes symmetric traffic flows but thats already a given in a setup like this. Adrian -- Adrian Chadd - [EMAIL PROTECTED] ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
