Transparent proxying broken?

Alastair D'Silva freebsd at newmillennium.net.au
Thu Sep 9 15:27:50 PDT 2004 

It seems that transparent proxying has been broken with all the changes
to the networking stack.

These are the relevant rules (where nmn_wireless and internet are
#defines)

add 3501 fwd 127.0.0.1,3128 tcp from nmn_wireless to internet 80 
keep-state
add 3502 fwd 127.0.0.1,25 tcp from nmn_wireless to internet 25    
keep-state

Uname output:
FreeBSD picard.newmillennium.net.au 6.0-CURRENT FreeBSD 6.0-CURRENT #20:
Thu Sep  9 20:48:35 EST 2004    
root at picard.newmillennium.net.au:/usr/obj/usr/src/sys/PICARD  i386


Trying to connect from the nmn_wireless network:

bash-2.05b$ telnet www.freebsd.org 80
Trying 216.136.204.117...
telnet: connect to address 216.136.204.117: Operation timed out
telnet: Unable to connect to remote host


Tcpdump output of the above session:

picard# tcpdump -i ath0 not port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on ath0, link-type EN10MB (Ethernet), capture size 96 bytes
08:22:28.451296 IP crusher.nmn.cafn.57238 >
gateway.fedpark.cafn.domain:  34209+  [1au] AAAA? ns1.downloadtech.com.
(49)
08:22:28.451438 IP crusher.nmn.cafn.57238 >
gateway.fedpark.cafn.domain:  9384+ [1au] AAAA? ns2.downloadtech.com.
(49)
08:22:28.451916 IP crusher.nmn.cafn.52164 > www.freebsd.org.http: S
4239655572:4 239655572(0) win 65535 <mss 1460,nop,nop,sackOK,nop,wscale
1,nop,nop,timestamp 5 271559 0>
08:22:28.652615 IP gateway.fedpark.cafn.domain >
crusher.nmn.cafn.57238:  34209 0/1/1 (96)
08:22:28.654474 IP gateway.fedpark.cafn.domain >
crusher.nmn.cafn.57238:  9384 0 /1/1 (96)
08:22:31.448320 IP crusher.nmn.cafn.52164 > www.freebsd.org.http: S
4239655572:4 239655572(0) win 65535 <mss 1460,nop,nop,sackOK,nop,wscale
1,nop,nop,timestamp 5 271859 0>
08:22:34.648455 IP crusher.nmn.cafn.52164 > www.freebsd.org.http: S
4239655572:4 239655572(0) win 65535 <mss 1460,nop,nop,sackOK,nop,wscale
1,nop,nop,timestamp 5 272179 0>
08:22:37.848571 IP crusher.nmn.cafn.52164 > www.freebsd.org.http: S
4239655572:4239655572(0) win 65535 <mss 146 0,nop,nop,sackOK>
08:22:41.048682 IP crusher.nmn.cafn.52164 > www.freebsd.org.http: S
4239655572:4239655572(0) win 65535 <mss 1460,nop,nop,sackOK>
08:22:44.248793 IP crusher.nmn.cafn.52164 > www.freebsd.org.http: S
4239655572:4239655572(0) win 65535 <mss 1460,nop,nop,sackOK>
08:22:50.449890 IP crusher.nmn.cafn.52164 > www.freebsd.org.http: S
4239655572:4239655572(0) win 65535 <mss 1460,nop,nop,sackOK>
08:22:59.826015 IP crusher.nmn.cafn.57065 > picard.imap: P
1133767632:1133767689(57) ack 2198428885 win 33304 <nop,nop,timestamp
5274694 2606343>
08:22:59.856870 IP picard.imap > crusher.nmn.cafn.57065: P 1:29(28) ack
57 win 33304 <nop,nop,timestamp 2721904 5274694>
08:22:59.958772 IP crusher.nmn.cafn.57065 > picard.imap: . ack 29 win
33304 <nop,nop,timestamp 5274709 2721904>
08:23:02.661828 IP crusher.nmn.cafn.52164 > www.freebsd.org.http: S
4239655572:4239655572(0) win 65535 <mss 1460,nop,nop,sackOK>



Connecting to the Squid port that was forwarded to for transparent
proxying:

bash-2.05b$ telnet picard.nmn.cafn 3128
Trying 10.0.1.1...
Connected to picard.nmn.cafn.
Escape character is '^]'.


After deleting rule 3501, everything works (the connection also works
from picard) . . .

bash-2.05b$ telnet www.freebsd.org 80
Trying 216.136.204.117...
Connected to www.freebsd.org.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Mon, 06 Sep 2004 22:25:43 GMT
Server: Apache/1.3.x LaHonda (Unix)
Last-Modified: Mon, 30 Aug 2004 21:24:54 GMT
ETag: "26fc4c-8b7c-41339b26"
Accept-Ranges: bytes
Content-Length: 35708
Connection: close
Content-Type: text/html
X-Pad: avoid browser bug

Connection closed by foreign host.

-- 
Alastair D'Silva           mob: 0423 762 819
Networking Consultant      fax: 0413 181 661
New Millennium Networking  web: http://www.newmillennium.net.au

More information about the freebsd-current mailing list