Proxy-suite and transparent proxying on FreeBSD not working
Hello all, I'm having trouble getting transparent proxying working on my FreeBSD 4.6-STABLE machine. Non-transparent works fine with MagicChar. I'm using IPFilter v3.4.27 to redirect the packets. ipnat.rules: rdr rl0 0.0.0.0/0 port 21 -> 192.168.1.1 port 2121 (rl0 is int interface) ftp-proxy.conf: [-Global-] AllowMagicUser yes AllowTransProxy yes DestinationTransferMode passive Listen 192.168.1.1 LogDestination /var/log/proxy-suite/ftp-proxy.log LogLevel DBG Port 2121 ServerType standalone UseMagicChar % turbo@sebulba:~$ ftp ftp.sunet.se Connected to ftp.sunet.se. 220 darkwing.home.lan FTP server (Version 1.9 - 2002/05/02 15:14:55) ready. Name (ftp.sunet.se:turbo): anonymous 501 Unknown destination address. ftp: Login failed. log: ftp-child [22788] <08/26-22:57:02> USER-INF connect from 192.168.1.15 ftp-child [22788] <08/26-22:57:05> TECH-DBG no transparent proxy destination found ftp-child [22788] <08/26-22:57:05> USER-ERR unknown destination address ftp-child [22788] <08/26-22:57:05> USER-WRN 'SYST' without login from 192.168.1.15 If I specify DestinationAddress to some server, it connects fine, so somehow it has trouble detecting the Destination when using normal transparent proxying. I would really like to get this working, so if anyone have any suggestions I would be thankful. Regards, Henrik Holmstam
On Mon, Aug 26, 2002 at 11:04:23PM +0200, Henrik Holmstam wrote:
Hello all,
Hi! It has worked fine on 4.4-release... I'm going to test / fix some stuff reported last time - perhaps I find also time to update FreeBSD on my test box and take a look on it as well... Have you compiled the proxy on a 4.6-STABLE as well? There was some natlook ioctl number differences between ipfilter releases... You may use strace (or ptrace or trace or truss) to trace what fails. Or you can compile a debug version and take a look to /tmp/ftp-proxy.debug. If you are running it in a chroot, you need /dev/ipnat in the chroot as well. <offtopic> Take a look on the rc.script.in init script - it is SuSE like (needs /etc/rc.status), but it is easy to adopt it to work with FreeBSD and OpenBSD... Sould work, if you have a /etc/rc.status :-) </offtopic>
I'm having trouble getting transparent proxying working on my FreeBSD 4.6-STABLE machine. Non-transparent works fine with MagicChar.
I'm using IPFilter v3.4.27 to redirect the packets.
ipnat.rules:
rdr rl0 0.0.0.0/0 port 21 -> 192.168.1.1 port 2121
(rl0 is int interface)
ftp-proxy.conf:
[-Global-] AllowMagicUser yes AllowTransProxy yes DestinationTransferMode passive Listen 192.168.1.1 LogDestination /var/log/proxy-suite/ftp-proxy.log LogLevel DBG Port 2121 ServerType standalone UseMagicChar %
turbo@sebulba:~$ ftp ftp.sunet.se Connected to ftp.sunet.se. 220 darkwing.home.lan FTP server (Version 1.9 - 2002/05/02 15:14:55) ready. Name (ftp.sunet.se:turbo): anonymous 501 Unknown destination address. ftp: Login failed.
log:
ftp-child [22788] <08/26-22:57:02> USER-INF connect from 192.168.1.15 ftp-child [22788] <08/26-22:57:05> TECH-DBG no transparent proxy destination found ftp-child [22788] <08/26-22:57:05> USER-ERR unknown destination address ftp-child [22788] <08/26-22:57:05> USER-WRN 'SYST' without login from 192.168.1.15
If I specify DestinationAddress to some server, it connects fine, so somehow it has trouble detecting the Destination when using normal transparent proxying.
I would really like to get this working, so if anyone have any suggestions I would be thankful.
Regards, Henrik Holmstam
--------------------------------------------------------------------- To unsubscribe, e-mail: proxy-suite-unsubscribe@suse.com For additional commands, e-mail: proxy-suite-help@suse.com
Gruesse,
Marius Tomaschewski
On Fri, 30 Aug 2002, Marius Tomaschewski wrote:
On Mon, Aug 26, 2002 at 11:04:23PM +0200, Henrik Holmstam wrote:
Hello all,
Hi!
It has worked fine on 4.4-release... I'm going to test / fix some stuff reported last time - perhaps I find also time to update FreeBSD on my test box and take a look on it as well...
Have you compiled the proxy on a 4.6-STABLE as well?
Yes..
There was some natlook ioctl number differences between ipfilter releases... You may use strace (or ptrace or trace or truss) to trace what fails. Or you can compile a debug version and take a look to /tmp/ftp-proxy.debug.
I compiled with --enable-debug and tried, have attached the ftp-proxy.debug. Feel free to take a look if you have the time.
If you are running it in a chroot, you need /dev/ipnat in the chroot as well.
<offtopic> Take a look on the rc.script.in init script - it is SuSE like (needs /etc/rc.status), but it is easy to adopt it to work with FreeBSD and OpenBSD... Sould work, if you have a /etc/rc.status :-) </offtopic>
I'm having trouble getting transparent proxying working on my FreeBSD 4.6-STABLE machine. Non-transparent works fine with MagicChar.
I'm using IPFilter v3.4.27 to redirect the packets.
ipnat.rules:
rdr rl0 0.0.0.0/0 port 21 -> 192.168.1.1 port 2121
(rl0 is int interface)
ftp-proxy.conf:
[-Global-] AllowMagicUser yes AllowTransProxy yes DestinationTransferMode passive Listen 192.168.1.1 LogDestination /var/log/proxy-suite/ftp-proxy.log LogLevel DBG Port 2121 ServerType standalone UseMagicChar %
turbo@sebulba:~$ ftp ftp.sunet.se Connected to ftp.sunet.se. 220 darkwing.home.lan FTP server (Version 1.9 - 2002/05/02 15:14:55) ready. Name (ftp.sunet.se:turbo): anonymous 501 Unknown destination address. ftp: Login failed.
log:
ftp-child [22788] <08/26-22:57:02> USER-INF connect from 192.168.1.15 ftp-child [22788] <08/26-22:57:05> TECH-DBG no transparent proxy destination found ftp-child [22788] <08/26-22:57:05> USER-ERR unknown destination address ftp-child [22788] <08/26-22:57:05> USER-WRN 'SYST' without login from 192.168.1.15
If I specify DestinationAddress to some server, it connects fine, so somehow it has trouble detecting the Destination when using normal transparent proxying.
I would really like to get this working, so if anyone have any suggestions I would be thankful.
Regards, Henrik Holmstam
--------------------------------------------------------------------- To unsubscribe, e-mail: proxy-suite-unsubscribe@suse.com For additional commands, e-mail: proxy-suite-help@suse.com
Gruesse, Marius Tomaschewski
-- SuSE Linux AG, Nürnberg - SuSE Labs, Product Developement PGP public key available: http://www.suse.de/~mt/mt.pgp Fprint: EA 1F 92 75 1A F9 82 07 A1 28 DE 7A 32 E8 97 18 --------------------------------------------------------------------- To unsubscribe, e-mail: proxy-suite-unsubscribe@suse.com For additional commands, e-mail: proxy-suite-help@suse.com
Regards, Henrik Holmstam
Hi! OK, I've a fresh FreeBSD 4.6.2 up and running now - it does not work any more (still works on the old FreeBSD 4.4 installation). To get it working, you have to update to v3.4.29, it contains a fix for the problem - see ip_fil3.4.29/HISTORY file: "[...] fix bug in SIOCGNATL handler that did not preserve the expected byte order from earlier versions in the port number [...]" In attachement, you will find two small patches for v3.4.29 I've done while the ipf update: ip_fil3.4.29.chmod_fix.dif.gz - fixes a -chmod in BSD/Makefile ip_fil3.4.29.INST_fix.dif.gz - fixes a FreeBSD INST instruction apply at least the chmod patch and follow the nice stright forward instructions in FreeBSD-4.0/INST.FreeBSD-4. On Fri, Aug 30, 2002 at 11:02:13PM +0200, Henrik Holmstam wrote:
On Fri, 30 Aug 2002, Marius Tomaschewski wrote:
On Mon, Aug 26, 2002 at 11:04:23PM +0200, Henrik Holmstam wrote:
Hello all,
I'm having trouble getting transparent proxying working on my FreeBSD 4.6-STABLE machine. Non-transparent works fine with MagicChar.
I'm using IPFilter v3.4.27 to redirect the packets.
I compiled with --enable-debug and tried, have attached the ftp-proxy.debug. Feel free to take a look if you have the time.
Does not show anything usefull - the natlook ioctl simply does
not find a match because of the byte order bug above...
Bye,
Marius.
--
° --- Marius Tomaschewski
On Sun, 1 Sep 2002, Marius Tomaschewski wrote:
Hi!
OK, I've a fresh FreeBSD 4.6.2 up and running now - it does not work any more (still works on the old FreeBSD 4.4 installation).
To get it working, you have to update to v3.4.29, it contains a fix for the problem - see ip_fil3.4.29/HISTORY file:
"[...] fix bug in SIOCGNATL handler that did not preserve the expected byte order from earlier versions in the port number [...]"
Great! That's really good news. I also noticed that Darren has merged 3.4.29 into the RELENG4 branch, which is perfect. Thanks Darren!
In attachement, you will find two small patches for v3.4.29 I've done while the ipf update:
ip_fil3.4.29.chmod_fix.dif.gz - fixes a -chmod in BSD/Makefile ip_fil3.4.29.INST_fix.dif.gz - fixes a FreeBSD INST instruction
apply at least the chmod patch and follow the nice stright forward instructions in FreeBSD-4.0/INST.FreeBSD-4.
On Fri, Aug 30, 2002 at 11:02:13PM +0200, Henrik Holmstam wrote:
On Fri, 30 Aug 2002, Marius Tomaschewski wrote:
On Mon, Aug 26, 2002 at 11:04:23PM +0200, Henrik Holmstam wrote:
Hello all,
I'm having trouble getting transparent proxying working on my FreeBSD 4.6-STABLE machine. Non-transparent works fine with MagicChar.
I'm using IPFilter v3.4.27 to redirect the packets.
I compiled with --enable-debug and tried, have attached the ftp-proxy.debug. Feel free to take a look if you have the time.
Does not show anything usefull - the natlook ioctl simply does not find a match because of the byte order bug above...
Bye, Marius. -- ° --- Marius Tomaschewski
, Germany --- ° The number of UNIX installations has grown to 10, with more expected. - The Unix Programmer's Manual, 2nd Edition, June 1972
Regards, Henrik
participants (3)
-
Henrik Holmstam
-
Marius Tomaschewski
-
Marius Tomaschewski