Subject: Re: Transparent Proxying
To: None <email@example.com>
From: None <firstname.lastname@example.org>
Date: 05/14/2002 18:28:45
>Sorry for my last post which had unwrapped lines, so I am resending it
>with a better formatting now:
>Is there a userspace facility on NetBSD which allows a TCP proxy daemon to
>spoof the source address for the life of a TCP connection to that of the
>actual internet client when connecting from a gateway to an internal
>service? This way the internal machine would see the connection as
>originating from the client rather than from the proxy gateway.
though only for IPv6, we have this functionality implemented as
faith(4) interface. under the following condition:
- sysctl net.inet6.ip6.keepfaith=1,
- listening socket has setsockopt(IPV6_FAITH) set,
- a IPv6 packet gets routed to faith(4) interface
the listening socket will hijack any inbound connection.
i'm still not 100% sure if modelling it as an interface is the
right thing to do. (for instance, faith(4) model does not handle
link-local IPv6 address case)
openbsd seem to have the functionality implemented as combination of
PF packet filter and ftp-proxy(8).
i guess you will want to check it out.