pf rdr + netsed : reinject loop...
Mel
fbsd.questions at rachie.is-a-geek.net
Fri Aug 31 10:27:28 PDT 2007
On Friday 31 August 2007 19:12:42 Mel wrote:
> On Friday 31 August 2007 18:27:26 Norberto Meijome wrote:
> > On Fri, 31 Aug 2007 17:40:06 +0200
> >
> > Mel <fbsd.questions at rachie.is-a-geek.net> wrote:
> > > > netsed's output is (part ) :
> > > > ---
> > > > Script started on Fri Aug 31 07:52:12 2007
> > > > [root at localhost /usr/home/luser]# netsed tcp 10101 0 0 s/FOO/BAR
> > > > netsed 0.01b by Michal Zalewski <lcamtuf at ids.pl>
> > > > [*] Parsing rule s/FOO/BAR ...
> > > > [+] Loaded 1 rules...
> > > > [+] Listening on port 10101/tcp.
> > > > [+] Using dynamic (transparent proxy) forwarding.
> > > >
> > > > [+] Got incoming connection from 172.16.82.81:1178 to 127.0.0.1:10101
> > > > [*] Forwarding connection to 127.0.0.1:10101
> > > > [+] Got incoming connection from 127.0.0.1:51337 to 127.0.0.1:10101
> > > > [*] Forwarding connection to 127.0.0.1:10101
> > > > [+] Caught client -> server packet.
> > >
> > > I think you need to figure out what this 'transparent proxy mode' of
> > > netsed does, cause it should under no circumstances forward to
> > > itself...
> >
> > it simply forwards the packet to the dst_ip:dst_port it originally had.
> > But, as Daniel H pointed out, those packets had been rewritten by pf's
> > rdr to go TO netsed's ip:port .... hence netsed wont change anything. It
> > works fine in non-proxy mode, but as I said in my first msg, that is not
> > an option for me.
>
> OK, I just tried to verify if rdr rewrites dest and indeed it does from
> netsed's point of view (didn't know my machine could go to 100 load and
> still catch SIGINT).
>
> Now I wonder how ftp-proxy(8) ever gets the server address. Time to view
> the source.
Ah, here we go:
/usr/src/contrib/pf/ftp-proxy/util.c:115:
/*
* Open the pf device and lookup the mapping pair to find
* the original address we were supposed to connect to.
*/
fd = open("/dev/pf", O_RDWR);
if (fd == -1) {
syslog(LOG_ERR, "cannot open /dev/pf (%m)");
exit(EX_UNAVAILABLE);
}
if (ioctl(fd, DIOCNATLOOK, &natlook) == -1) {
syslog(LOG_INFO,
"pf nat lookup failed %s:%hu (%m)",
inet_ntoa(client_sa_ptr->sin_addr),
ntohs(client_sa_ptr->sin_port));
close(fd);
return(-1);
}
close(fd);
So, in short, netsed needs extra code to deal with pf (and probably others
since only a linux iptables example is listed in README) and the port
maintainer should add a warning that transparent proxy mode does not (yet)
work with pf/ipfw/ipf.
In addition you need write access to /dev/pf :)
--
Mel
More information about the freebsd-questions
mailing list