Thank's for the lesson.
The ultimate goal of this is to provide SSL-Accellerator style support to
IPFilter. To have the same functionality as very expensive Cisco boxes.
This means:
1: SSL->plain translation on servers above the application servers
2: Retain the original IP for application servers.
As you point out, I can do 2: with RDR.
I can do 1: with just stunnel, (TCP relay)
But, both those breaks the critera. To achieve 1: AND 2: there needs to be
something new.
Someone suggested that sample/proxy.c will show how to tcp-jack a connection,
but retain the original IPs. That way I could lift that patch into stunnel, and
we have a new functionality.
However, sample/proxy.c does not work (for me).
Darren Reed wrote:
..
: Internet : ipfilter server ext & int iface : Internal Server
: : e1000g0 e1000g1
210.my.ext.IP -> 210.172.133.140:7100 & 172.20.11.254 -> 172.20.11.5:7100
proxy.c
ok, let me explain this.
The transparent proxy is for use in situations where you are on (say)
210.my.ext.IP and you telnet "172.20.11.5 7100" with a rdr rule like
this:
rdr e1000g0 0.0.0.0/0 port 7100 -> 210.172.133.140 port 1 tcp
It will cause the connection to 172.20.11.5 to be terminated locally
on the ipfilter server at port 1. This is the only scenario that
requires the use of tproxy.
*IF* you are on 210.my.ext.IP and you want to connect to the
Internal Server automatically and the command you use is
"telnet 210.172.133.140 7100" , you would do:
rdr e1000g0 0/0 port 7100 -> 172.20.11.5 port 7100 tcp
*IF* you are on 210.my.ext.IP and you want to connect to a proxy
on the ipfilter server and have the proxy connect to the Internal
Server then you do not use rdr rules or ipnat, you just use a
TCP relay program.
Darren
--
Jorgen Lundman | <[EMAIL PROTECTED]>
Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work)
Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell)
Japan | +81 (0)3 -3375-1767 (home)
