Re: Transparent proxy feature?

From: Julian Elischer <julian_at_elischer.org> Date: Fri, 11 Mar 2005 14:40:15 -0800 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:29 UTC

Antal Rutz wrote:

>Hi,
>
>Nowadays I have to use a special firewall software ('zorp') but
>unfortunately it only runs on linux. the reason is that only linux
>has the feature (transparent proxying) to listen on/send packets (sourcing)
>from other IP addresses than the machine has. (maybe with an extra kmod)
>
>The developers told me that they aren't familiar with FreeBSD but would
>port their software to it if the OS had support for that t-proxy.
>
>The question is: Is there any plan to support that thing (maybe through
>ipfw, pf or ipfilter - no idea) or is that too sick?
>  
>

There is already transparrent proxy support in FreeBSD and ahs been for 
manyu years.

it is accessed through the ipfw "fwd" option..

ipfw add fwd localhost,1234 tcp from {somewhere} to (somewhere) {via 
some interface}

Here's the man entry for that feature.

     fwd | forward ipaddr[,port]
             Change the next-hop on matching packets to ipaddr, which can be
             an IP address in dotted quad format or a host name.  The search
             terminates if this rule matches.

             If ipaddr is a local address, then matching packets will be 
for-
             warded to port (or the port number in the packet if one is not
             specified in the rule) on the local machine.
             If ipaddr is not a local address, then the port number (if 
speci-
             fied) is ignored, and the packet will be forwarded to the 
remote
             address, using the route as found in the local routing 
table for
             that IP.
             A fwd rule will not match layer-2 packets (those received on
             ether_input, ether_output, or bridged).
             The fwd action does not change the contents of the packet 
at all.
             In particular, the destination address remains unmodified, so
             packets forwarded to another system will usually be rejected by
             that system unless there is a matching rule on that system to
             capture them.  For packets forwarded locally, the local address
             of the socket will be set to the original destination 
address of
             the packet.  This makes the netstat(1) entry look rather weird
             but is intended for use with transparent proxy servers.

>thanks alot.
>  
>