Fwd: stunnel transparent proxy

Julian Elischer julian at freebsd.org
Fri Jan 14 17:50:47 UTC 2011 

On 1/10/11 11:47 AM, Jay Corrales wrote:
>
> Folks,
>
> Would it be possible to devise an ipfw 'fwd' rule to pass along a 
> socket
> connection with IP_BINDANY set via stunnel that forwards it to another
> process? The problem I'm having is the vnc service on the other side
> cannot reply back to the IP address because the routing does not 
> redirect
> back through stunnel. I am testing configurations using apache (port 80
> and 443) for convenience.
>
> Request :
>
> ext ip ->  stunnel ->  vnc svc
>
> Response :
>
> vnc svc X->ext ip
>
> instead of :
>
> vnc svc ->  stunnel ->  ext ip

so you want the tunnel to be used in only one direction?
(not sure what stunnel actually is)


>
> With stunnel's transparent set option traffic looks like :
>
> 19:31:34.162337 IP 192.168.103.69.52671>  127.0.0.1.80: Flags [S], seq
> 2050938762, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val
> 7437993 ecr 0], length 0
> 19:31:37.153079 IP 192.168.103.69.52671>  127.0.0.1.80: Flags 
> [S],<snip>..
> 19:31:40.351804 IP 192.168.103.69.52671>  127.0.0.1.80: Flags 
> [S],<snip>  ..
> 19:31:43.550543 IP 192.168.103.69.52671>  127.0.0.1.80: Flags [S], seq
> 2050938762, win 65535, options [mss 16344,sackOK,eol], length 0

well there can be a thousand reasons that there is no response..

where it the trace taken?  on the server?, client?
>
> Without transparent, traffic flows fine, and looks like :
>
> 19:32:55.883404 IP 127.0.0.1.30326>  127.0.0.1.80: Flags [S], seq
> 2147354729, win 65535, options [mss 16344,nop,wscale 3,sackOK,TS val
> 7446169 ecr 0], length 0
> 19:32:55.883575 IP 127.0.0.1.80>  127.0.0.1.30326: Flags [S.], seq
> 2770470513, ack 2147354730, win 65535, options [mss 16344,nop,wscale
> 3,sackOK,TS val 1229815108 ecr 7446169], length 0
> 19:32:55.883589 IP 127.0.0.1.30326>  127.0.0.1.80: Flags [.], ack 1, 
> win
> 8960, options [nop,nop,TS val 7446169 ecr 1229815108], length 0


127.0.0.1 <--> 127.0.0.1 is of limited usefulness :-)

>
> ...
>
> I did try and devise pf rules to redirect or rdr and nat, but neither
> worked. I am only vaguely familiar with ipfw, and from some of my 
> research
> led me to believe it may be possible.
>
> Thanks
>
> P.S. I did post the same question earlier on freebsd-pf list as well.
> http://lists.freebsd.org/pipermail/freebsd-pf/2011-January/005914.html

I don't really understand what you want to do with stunnel and what 
you hope to achieve.

>
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>

More information about the freebsd-ipfw mailing list