Subject: transparent proxys ala digital unix
To: None <>
From: vianney rancurel <>
List: tech-net
Date: 09/17/1999 09:39:35
The purpose is to make transparents proxys for NetBSD in a easy manner.


A is an internal host, B is a NetBSD box with two NICs, C is the destination hos
t. A has got a default route to B. He wants to "telnet" C. He just send packets 
following routing table and B "hijacks" the connection. C sees B making the conn
ection but A believes is directling talking to C.

Why shouldn't we add a "#define FR_PROXY" in netinet/ip_fil.h with a new keyword
 "proxy" in ipf(8). It will give us rules like this (e.g for telnet):

proxy from any to any port = 23

It will cause packets arriving to <port> to be for us even if it is not destined
 to one of our interfaces and alias. To distinguish matching packets in ipintr()
 we could use a new mbuf flag like M_FORUS.

On B, packets would be reassembled as others and sent to process binding this po
rt in a normal way. On a getsockname(2), the process would see C as local addres
s. It would be then quite tricky to write transparent proxys.

Am I wrong?

Vianney Rancurel