Subject: transparent proxys ala digital unix
To: None <tech-net@NetBSD.org>
From: vianney rancurel <Vianney.Rancurel@epita.fr>
Date: 09/17/1999 09:39:35
The purpose is to make transparents proxys for NetBSD in a easy manner.
A is an internal host, B is a NetBSD box with two NICs, C is the destination hos
t. A has got a default route to B. He wants to "telnet" C. He just send packets
following routing table and B "hijacks" the connection. C sees B making the conn
ection but A believes is directling talking to C.
Why shouldn't we add a "#define FR_PROXY" in netinet/ip_fil.h with a new keyword
"proxy" in ipf(8). It will give us rules like this (e.g for telnet):
proxy from any to any port = 23
It will cause packets arriving to <port> to be for us even if it is not destined
to one of our interfaces and alias. To distinguish matching packets in ipintr()
we could use a new mbuf flag like M_FORUS.
On B, packets would be reassembled as others and sent to process binding this po
rt in a normal way. On a getsockname(2), the process would see C as local addres
s. It would be then quite tricky to write transparent proxys.
Am I wrong?