Very Computer

One of our routers in which our dialup customers are filtered through
currently runs 3.3 and Squid 2.2.  I have compiled its kernel to allow
ipfirewall and presently have it forwarding port 80 packets to port 8080
on the same machine to allow for the transparent proxy. The machines name
is dogbert.

ipfw add fwd dogbert,8080 tcp from any to any 80

What I need to do now, is to transparently filter them through to a proxy
server on another server.  If i change the ipfw rule on dogbert to:

ipfw add fwd wallace,8080 tcp from any to any 80

All the packets are dropped or lost and get operation timed out errors,
the only way i have managed to get it to work so far is by having

ipfw add fwd wallace tcp from any to any 80 (on dogbert)
ipfw add fwd wallace,8080 tcp from any to any 80 (on wallace)

To me, this dosent sound right and it seems to slow things down and
returns errors now and again, im assuming packets are getting lost or not
getting there correctly or something like that.

We use to use ipfilter when the machines were on 2.2.7/2.2.8 and this
seemed to work without a worry.  This was a while ago, and have forgotten
how the hell I had it running.

Has anyone got a better idea on forwarding packets from one machine to
another transparently?  If ipfilter is the way to go, any hints on the
commands and stuff?

BTW, I see IPSTEALTH in the LINT config, sounds pretty nifty, is there any
README's on this.  FreeBSD website comes up blank, man ipfw also comes up
blank.

Thanks,

Jarrod

I dont know if this is exactly the same problem... but
I tried to use ipfw for connecting port 8080 on the gateway/firewall
machine to port 80 on a local machine behind the gateway.

I couldnt get anything working
I tried socket from ports/net, and it does the trick...

Maybe a combo of filtering and finally redirecting to 8080 on the same
machine, and then a socket to put it onto 80 on the other machine will
do the trick ??? Word of warning ... i'm by no measure skilled enough
to see if this will actually work, or introduces some new problem...

I also tried natd -redirect_port It doesnt do it either....

I have searched high and low... and can see that it works for some,
but a large number of ppl. seems to have problems w. it....

Quote:>Has anyone got a better idea on forwarding packets from one machine to
>another transparently?  If ipfilter is the way to go, any hints on the
>commands and stuff?

regards

Kristian

(referring to forwarding)
If the IP is not a local
address then the port number (if specified) is ig-
nored and the rule only applies to packets leaving
the system.

So, this means that by the current design of ipfw, you just can't have it
set up to forward to different ports on different machines. Sorry.

And, snipped from the 3.4 release notes,

"Support has been added for forwarding IP datagrams without inspecting or
decreasing the TTL in order to make gateways and firewalls less visible
and therefore less exposed to attacks."

I think thats what your IPSTEALTH is.

--Ed