<font color='black' size='2' face='Arial, Helvetica, sans-serif'>
<div style="font-family:helvetica,arial;font-size:10pt;color:black">
<div id="AOLMsgPart_2_51d570f1-c983-4ebc-b4c6-1bccd96a9d89">
<font color="black" size="2" face="Arial, Helvetica, sans-serif">H<font color="black" face="Arial, Helvetica, sans-serif" size="2">i Mike,<br>
<br>
Your reponse was in my spam folder, and I just realized it :-). It is good to hear that this configuration is ultimately possible -- but just not with out of the box configurations as far as my testing has shown. Therefore it is better if the documentation stated this. <br>
<br>
> </font>Could
you please try to be a bit more specific (e.g. in terms of your stunnel
and kernel versions, configuration, logs, packet captures, etc.)?<font><font color="black" face="Arial, Helvetica, sans-serif" size="2">
<div><br>
</div>
</font></font><font color="black" face="Arial, Helvetica, sans-serif" size="2"><font><font color="black" face="Arial, Helvetica, sans-serif" size="2">
<div>I am using the most current versions to date for each software stacks. All use the same stunnel.conf file.
</div>
<div><br>
</div>
<div>
<div>foreground = yes</div>
<div>cert = /etc/stunnel/stunnel.pem</div>
<div>sslVersion = all</div>
<div>setuid = root</div>
<div>setgid = root</div>
<div>pid = /tmp/stunnel.pid</div>
<div>socket = l:TCP_NODELAY=1</div>
<div>socket = r:TCP_NODELAY=1</div>
<div>debug = 7</div>
<div>output = /var/log/stunnel.log</div>
<div><br>
</div>
<div>[http]</div>
<div>accept = 443</div>
<div>connect = 80</div>
<div>transparent = yes</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>FreeBSD 8.1: </div>
<div>
<div><br>
</div>
<div>rpminit# stunnel -version</div>
<div>stunnel 4.33 on amd64-portbld-freebsd8.1 with OpenSSL 0.9.8n 24 Mar 2010</div>
</div>
<div>
<div>rpminit# uname -a</div>
<div>FreeBSD hostname 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Fri Jul 30 12:55:14 UTC 2010 root@hostname:/usr/obj/usr/src/sys/generic amd64</div>
</div>
<div><br>
</div>
<div>This stunnel version has been patched to support 'non-local bind'ng, see http://marc.info/?l=stunnel-users&m=129415990930730&w=2</div>
<div><br>
</div>
<div>CentOS : <span class="Apple-style-span" style="font-family: 'Lucida Grande'; font-size: 13px; ">CentOS-5.5-x86_64-netinstall.iso</span><span class="Apple-style-span" style="font-size: 13px; ">:</span></div>
<div><span class="Apple-style-span" style="font-size: 13px; "><br>
</span></div>
<div><span class="Apple-style-span" style="font-size: 13px; ">
<div>[foo@localhost ~]$ uname -a</div>
<div>Linux localhost.localdomain 2.6.18-194.el5 #1 SMP Fri Apr 2 14:58:14 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux</div>
<div>[root@localhost ~]# stunnel -version</div>
<div>stunnel 4.15 on x86_64-redhat-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008</div>
<div>Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP</div>
<div> </div>
<div>Global options</div>
<div>debug = 5</div>
<div>pid = /var/run/stunnel.pid</div>
<div>RNDbytes = 64</div>
<div>RNDfile = /dev/urandom</div>
<div>RNDoverwrite = yes</div>
<div> </div>
<div>Service-level options</div>
<div>cert = /etc/stunnel/stunnel.pem</div>
<div>ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH</div>
<div>key = /etc/stunnel/stunnel.pem</div>
<div>session = 300 seconds</div>
<div>TIMEOUTbusy = 300 seconds</div>
<div>TIMEOUTclose = 60 seconds</div>
<div>TIMEOUTconnect = 10 seconds</div>
<div>TIMEOUTidle = 43200 seconds</div>
<div>verify = none</div>
<div>[root@localhost ~]# </div>
<div><br>
</div>
<div>
<div>[root@localhost ~]# iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT</div>
<div>iptables v1.3.5: Couldn't load match `socket':/lib64/iptables/libipt_socket.so: cannot open shared object file: No such file or directory</div>
<div><br>
</div>
<div>Try `iptables -h' or 'iptables --help' for more information.</div>
<div>[root@localhost ~]# </div>
</div>
<div><br>
</div>
<div>Ubuntu : <span class="Apple-style-span" style="font-family: 'Lucida Grande'; ">mini.iso</span> <span class="Apple-style-span" style="font-family: 'Helvetica Neue', 'Lucida Grande', Helvetica, Arial, Verdana, sans-serif; font-size: 14px; "><a class="http" href="http://archive.ubuntu.com/ubuntu/dists/maverick/main/installer-amd64/current/images/netboot/mini.iso" style="color: rgb(217, 13, 25); border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-style: initial; border-color: initial; ">Ubuntu 10.10 "Maverick Meerkat" Minimal CD</a> 15.6MB (MD5: 3d9f096398991ed1eaa9ff32128e199a, SHA1: ea621a169b55d4c759f19600fea78e4ba7b83ba4)</span><span class="Apple-style-span" style="font-size: small;"> https://help.ubuntu.com/community/Installation/MinimalCD</span></div>
<div><span class="Apple-style-span" style="font-size: small;"><br>
</span></div>
<div><span class="Apple-style-span" style="font-size: small;">
<div>
<div>foo@ubuntu:~$ uname -a</div>
<div>Linux ubuntu 2.6.35-24-generic #42-Ubuntu SMP Thu Dec 2 02:41:37 UTC 2010 x86_64 GNU/Linux</div>
<div>foo@ubuntu:~$ dpkg -s stunnel</div>
</div>
<div>Package: stunnel</div>
<div>Status: install ok installed</div>
<div>Priority: extra</div>
<div>Section: net</div>
<div>Installed-Size: 56</div>
<div>Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com></div>
<div>Architecture: all</div>
<div>Source: stunnel4</div>
<div>Version: 3:4.29-1</div>
<div>Depends: stunnel4 (>= 3:4.20-3)</div>
<div>Description: dummy upgrade package</div>
<div> stunnel version 3 has been removed from Debian. This is a dummy package</div>
<div> to ease upgrading to stunnel4.</div>
<div> .</div>
<div> You may safely remove this package after the upgrade.</div>
<div>Original-Maintainer: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org></div>
<div>Homepage: http://www.stunnel.org/</div>
<div><br>
</div>
<div>
<div><br>
</div>
</div>
</span></div>
<div><span class="Apple-style-span" style="font-family: 'Helvetica Neue', 'Lucida Grande', Helvetica, Arial, Verdana, sans-serif; font-size: 14px; ">
<div>root@ubuntu:~# tcpdump -i any port 80</div>
<div>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode</div>
<div>listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes</div>
<div><br>
</div>
<div><br>
</div>
<div>13:29:34.794295 IP 192.168.103.69.40886 > localhost.www: Flags [S], seq 3983439445, win 32792, options [mss 16396,sackOK,TS val 46696 ecr 0,nop,wscale 6], length 0</div>
<div>13:29:37.801619 IP 192.168.103.69.40886 > localhost.www: Flags [S], seq 3983439445, win 32792, options [mss 16396,sackOK,TS val 46997 ecr 0,nop,wscale 6], length 0</div>
<div>13:29:43.811568 IP 192.168.103.69.40886 > localhost.www: Flags [S], seq 3983439445, win 32792, options [mss 16396,sackOK,TS val 47598 ecr 0,nop,wscale 6], length 0</div>
<div><font class="Apple-style-span" face="Arial, Helvetica, sans-serif"><span class="Apple-style-span" style="font-size: small;">...</span></font></div>
<div><font class="Apple-style-span" face="Arial, Helvetica, sans-serif"><span class="Apple-style-span" style="font-size: small;">
<div>root@ubuntu:/etc/stunnel# iptables -t mangle -N DIVERT</div>
<div>root@ubuntu:/etc/stunnel# iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT</div>
<div>root@ubuntu:/etc/stunnel# iptables -t mangle -A DIVERT -j MARK --set-mark 1</div>
<div>root@ubuntu:/etc/stunnel# iptables -t mangle -A DIVERT -j ACCEPT</div>
<div>root@ubuntu:/etc/stunnel# ip rule add fwmark 1 lookup 100</div>
<div>root@ubuntu:/etc/stunnel# ip route add local 0.0.0.0/0 dev lo table 100</div>
<div>root@ubuntu:/etc/stunnel# echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter</div>
<div>root@ubuntu:/etc/stunnel# /etc/init.d/stunnel4 start</div>
<div>2011.01.07 13:29:34 LOG7[990:140669015152384]: http accepted FD=14 from 192.168.103.69:40886</div>
</span></font></div>
<div><font class="Apple-style-span" face="Arial, Helvetica, sans-serif">
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: http started</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: FD 14 in non-blocking mode</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: TCP_NODELAY option set on local socket</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: Waiting for a libwrap process</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: Acquired libwrap process #0</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: Releasing libwrap process #0</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: Released libwrap process #0</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: http permitted by libwrap from 192.168.103.69:40886</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG5[990:140669015144192]: http accepted connection from 192.168.103.69:40886</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): before/accept initialization</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 read client hello A</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 write server hello A</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 write certificate A</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 write server done A</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 flush data</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 read client key exchange A</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 read finished A</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 write change cipher spec A</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 write finished A</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: SSL state (accept): SSLv3 flush data</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: 2 items in the session cache</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: 0 client connects (SSL_connect())</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: 0 client connects that finished</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: 0 client renegotiations requested</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: 2 server connects (SSL_accept())</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: 2 server connects that finished</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: 0 server renegotiations requested</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: 0 session cache hits</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: 0 external session cache hits</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: 0 session cache misses</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: 0 session cache timeouts</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG6[990:140669015144192]: SSL accepted: new session negotiated</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG6[990:140669015144192]: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: FD 15 in non-blocking mode</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG6[990:140669015144192]: local_bind succeeded on the original port</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG6[990:140669015144192]: connect_blocking: connecting 127.0.0.1:80</div>
<div style="font-size: small; ">2011.01.07 13:29:34 LOG7[990:140669015144192]: connect_blocking: s_poll_wait 127.0.0.1:80: waiting 10 seconds</div>
<div style="font-size: small; ">2011.01.07 13:29:44 LOG3[990:140669015144192]: connect_blocking: s_poll_wait 127.0.0.1:80: timeout</div>
<div style="font-size: small; ">2011.01.07 13:29:44 LOG5[990:140669015144192]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket</div>
<div style="font-size: small; ">2011.01.07 13:29:44 LOG7[990:140669015144192]: http finished (0 left)</div>
<div style="font-size: small; "><br>
</div>
</font></div>
</span></div>
<div><font class="Apple-style-span" face="'Helvetica Neue', 'Lucida Grande', Helvetica, Arial, Verdana, sans-serif" size="4"><span class="Apple-style-span" style="font-size: 14px;"><font class="Apple-style-span" face="Arial, Helvetica, sans-serif"><span class="Apple-style-span" style="font-size: small;"><br>
</span></font></span></font></div>
</span></div>
</font></font>
<div> <span class="Apple-style-span" style="font-family: arial, helvetica; font-size: 13px; ">> Did you use any of those 80 hours to RTFM at </span><span class="Apple-style-span" style="font-family: arial, helvetica; font-size: 13px; "><a target="_blank" href="http://stunnel.mirt.net/static/stunnel.html">http://stunnel.mirt.net/static/stunnel.html</a></span><span class="Apple-style-span" style="font-family: arial, helvetica; font-size: 13px; "> ?</span></div>
<div><span class="Apple-style-span" style="font-family: arial, helvetica; font-size: 13px; "><br>
</span></div>
<div>Yes. FYI as a test case, if it was as easy as reading the above document, there would be no RFC. In regards to, http://www.stunnel.org/faq/transparent.html</div>
<div><br>
</div>
<div>"References for 2.4 kernel that say it's not possible..."</div>
<div><br>
</div>
<div>"Reference for 2.4 kernel that say it is possible..."</div>
<div><br>
</div>
<div>Would it be of best use to update this document for only the current state of the art kernel versions, and therefore remove references to 2.4 kernels? The confusion led me to hope that I could possibly get it working.</div>
<div><br>
</div>
<div>If out of the box transparent mode does not function, but requires non - portable modification, can you provide this code? One possible option is to upload a VM image that demonstrates. </div>
<div><br>
</div>
<div>If it is non-trivial and out of scope, it would be better to update the document with this information or provide further clarification as to this effect. Given that someone has accomplished the goal, a complete end to end solution is what really needs to be explained.</div>
<div><br>
</div>
<div>Best regards,</div>
<div>OSC</div>
<div><span class="Apple-style-span" style="font-family: arial, helvetica; font-size: 13px; "><span class="Apple-style-span" style="font-size: medium; "><font class="Apple-style-span" face="Arial, Helvetica, sans-serif"><br>
</font></span></span></div>
<div style="font-family: arial,helvetica; font-size: 10pt; color: black;">-----Original Message-----<br>
From: Michal Trojnara <Michal.Trojnara@mirt.net><br>
To: stunnel-users@mirt.net<br>
Sent: Fri, Jan 7, 2011 3:41 am<br>
Subject: Re: [stunnel-users] RFC: purge use of keyword 'transparent'<br>
<br>
<div id="AOLMsgPart_4_e3069485-1b74-4ba7-b35e-26a6ccfc17b7">
<div>
<div>Dear Oscar,</div>
<div><br>
</div>
<div>"Oscar Usifer" <<a href="mailto:oscaruser@programmer.net">oscaruser@programmer.net</a>> wrote:</div>
<blockquote type="cite"><font color="black" face="Arial, Helvetica, sans-serif" size="2">
<div>After searching, installing various (in the 2.6 family), e.g. CentOS, Ubuntu, and so on, I have not been able to get transparent proxy working at all.</div>
</font></blockquote>
<div><br>
</div>
<div>LOL: <a target="_blank" href="http://catb.org/%7Eesr/faqs/smart-questions.html#id479555">http://catb.org/~esr/faqs/smart-questions.html#id479555</a></div>
<div><br>
</div>
<div>Could you please try to be a bit more specific (e.g. in terms of your stunnel and kernel versions, configuration, logs, packet captures, etc.)?</div>
<div><br>
</div>
<blockquote type="cite"><font color="black" face="Arial, Helvetica, sans-serif" size="2">
<div> As such since it the function does not work, and there is great debate as to whether it ever worked, I would like to propose that this keyword and reference to its function be discarded entirely. This will save many folks a great deal of time and effort attempting to try and get it to work, myself having spent over 80 hours (including my precious holiday time) trying to dig, scratch, research up old posts that say it works or someone has it working under such and such a configuration!</div>
</font></blockquote>
<div><br>
</div>
<div>Did you use any of those 80 hours to RTFM at <a target="_blank" href="http://stunnel.mirt.net/static/stunnel.html">http://stunnel.mirt.net/static/stunnel.html</a> ?</div>
<div><br>
</div>
<blockquote type="cite"><font color="black" face="Arial, Helvetica, sans-serif" size="2">
<div> The documentation itself has folks claiming that it works and does not, which is really a bad practice. Why did you perpetuate this option in the first place?!</div>
</font></blockquote>
<div><blockquote type="cite"><font color="black" face="Arial, Helvetica, sans-serif" size="2">
<div>I hope you see the importance and reason with my request and act immediately.</div>
<div> ... Unless someone really really does have it working. </div>
</font></blockquote>
<div><font color="black" face="Arial, Helvetica, sans-serif" size="2">
<div><span class="Apple-style-span" style="font-family: Helvetica; font-size: medium;"><br>
</span></div>
<div><span class="Apple-style-span" style="font-family: Helvetica; font-size: medium;">LOL: <a target="_blank" href="http://catb.org/%7Eesr/faqs/smart-questions.html#id478549">http://catb.org/~esr/faqs/smart-questions.html#id478549</a></span></div>
</font></div>
</div>
<div><br>
</div>
<div>Please make sure to read the whole <a target="_blank" href="http://catb.org/%7Eesr/faqs/smart-questions.html">http://catb.org/~esr/faqs/smart-questions.html</a> before sending another post to a mailing list.</div>
<div><br>
</div>
<div>Best regards,</div>
<div><span class="Apple-tab-span" style="white-space: pre;"> </span>Mike</div>
</div>
=
</div>
<!-- end of AOLMsgPart_4_e3069485-1b74-4ba7-b35e-26a6ccfc17b7 -->
<div id="AOLMsgPart_6_e3069485-1b74-4ba7-b35e-26a6ccfc17b7" style="margin: 0px; font-family: Tahoma,Verdana,Arial,Sans-Serif; font-size: 12px; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<pre style="font-size: 9pt;"><tt>_______________________________________________<br>
stunnel-users mailing list<br>
<a href="mailto:stunnel-users@mirt.net">stunnel-users@mirt.net</a><br>
<a href="http://stunnel.mirt.net/mailman/listinfo/stunnel-users" target="_blank">http://stunnel.mirt.net/mailman/listinfo/stunnel-users</a><br>
</tt></pre>
</div>
<!-- end of AOLMsgPart_6_e3069485-1b74-4ba7-b35e-26a6ccfc17b7 -->
</div>
</font></font>
</div>
<!-- end of AOLMsgPart_2_51d570f1-c983-4ebc-b4c6-1bccd96a9d89 -->
</div>
</font>