Folks, For my server daemon process, I am accepting incoming requests only from pre-seeded IP addrs. Using Stunnel, I am finding connecting IPs are '127.0.0.1' or localhost. Is there any configuration or solution to represent incoming IPs for the given file descriptor belonging to their originating IP addrs? Thank you.
[second sending of the same message] OK I see transparent configuration option, but looks only available for Linux. Tried on FreeBSD 7.3 amd64 and FBSD 8.1 amd64, with same result, "local_bind (original port): Can't assign requested address (49)". Apparently v8.1 supports IP_BINDANY (man ip 8), but stunnel may not be using this feature (based on searching the stunnel-4.33 source code). -----Original Message----- From: oscaruser@programmer.net To: stunnel-users@mirt.net Sent: Wed, Dec 29, 2010 2:07 pm Subject: [stunnel-users] Stunnel forwarding IP Folks, For my server daemon process, I am accepting incoming requests only from pre-seeded IP addrs. Using Stunnel, I am finding connecting IPs are '127.0.0.1' or localhost. Is there any configuration or solution to represent incoming IPs for the given file descriptor belonging to their originating IP addrs? Thank you.
On Wed, Dec 29, 2010 at 07:18:15PM -0500, oscaruser@programmer.net wrote:
[second sending of the same message]
OK I see transparent configuration option, but looks only available for Linux. Tried on FreeBSD 7.3 amd64 and FBSD 8.1 amd64, with same result, "local_bind (original port): Can't assign requested address (49)". Apparently v8.1 supports IP_BINDANY (man ip 8), but stunnel may not be using this feature (based on searching the stunnel-4.33 source code).
Okay, what do people think about the attached patch that is based on Jason Helfman's work in a FreeBSD PR, but abstracts the transparent proxying option (and the setsockopt() level, and the option's name) so that it supports *both* the Linux IP_TRANSPARENT implementation and *BSD's IP_BINDANY one, and leaves the door open for others in the future? I'm about to commit this patch to the FreeBSD port of stunnel in a couple of minutes; of course, it's up to Michal Trojnara to decide whether to integrate it upstream in this or any other shape or form :) G'luck, Peter -- Peter Pentchev roam@space.bg roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This would easier understand fewer had omitted.
Peter Pentchev wrote:
Okay, what do people think about the attached patch that is based on Jason Helfman's work in a FreeBSD PR, but abstracts the transparent proxying option (and the setsockopt() level, and the option's name) so that it supports *both* the Linux IP_TRANSPARENT implementation and *BSD's IP_BINDANY one, and leaves the door open for others in the future?
I'm about to commit this patch to the FreeBSD port of stunnel in a couple of minutes; of course, it's up to Michal Trojnara to decide whether to integrate it upstream in this or any other shape or form :)
I appreciate your understanding of my principles. 8-) I think the code should look something like: memcpy(&addr, &c->bind_addr.addr[0], sizeof addr); /* non-local bind on FreeBSD */ #if defined(IP_BINDANY) && defined(IPV6_BINDANY) int on=1; if(c->opt->option.transparent) { if(addr.sa.sa_family==AF_INET) { /* IPv4 */ if(setsockopt(c->fd, IPPROTO_IP, IP_BINDANY, &on, sizeof on)) { sockerror("setsockopt IP_BINDANY"); longjmp(c->err, 1); } } else { /* IPv6 */ if(setsockopt(c->fd, IPPROTO_IPV6, IPV6_BINDANY, &on, sizeof on)) { sockerror("setsockopt IPV6_BINDANY"); longjmp(c->err, 1); } } } #endif /* non-local bind on FreeBSD */ Unfortunately I don't have any FreeBSD system configured to test it. Can you please do it for me and let me know if it compiles/works? Mike
Please remove me from list. Thank you Sent from my Verizon Wireless BlackBerry -----Original Message----- From: Michal Trojnara <Michal.Trojnara@mirt.net> Sender: stunnel-users-bounces@mirt.net Date: Sat, 15 Jan 2011 22:13:02 To: Stunnel Users Mailing List<stunnel-users@mirt.net> Subject: Re: [stunnel-users] Stunnel forwarding IP _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Folks, Not wanting to sound like the voice in the wilderness... but there is now a FreeBSD 8.x patch for stunnel to utilize the IP_BINDANY setsockopt. It does not work fully, only partly. The partly being the traffic looks like it's coming from the external IP address to the internal service, but the service cannot talk back on this IP address either because of network routing or because the kernel does not recognize the instruction to speak to the foreign address via proxy. http://www.FreeBSD.org/cgi/query-pr.cgi?pr=153568 http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/stunnel/files/patch-src... http://www.freebsd.org/cgi/query-pr-summary.cgi?category=&severity=&priority... After testing numerous pf rules, I've come to the conclusion pf cannot produce the result. nt_if="lo0" ext_if="ed0" # 192.168.103.x ext2_if="ed1" # 10.0.0.5 rdr pass log inet proto tcp from 192.168.103.69 to $int_if port 80 -> $int_if nat pass log inet proto tcp from 192.168.103.69 to $int_if port 80 -> $int_if or pass in log on $ext_if reply-to ($ext2_if 10.0.0.5) from 192.168.103.69 synproxy state Neither of these methods rules work, but the first actually rewrites the source IP to the internal IP, thereby undoing the proxy function. The second creates a connection, but thus synchronizing the connection at pf, but actual network traffic is listed via tcpdump. Another project seems to accomplish this goal via ipfw 'fwd' rules (IPFIREWALL_FORWARD). # ipfw add 100 fwd 127.0.0.1,10025 tcp from not me to any 25 http://thewalter.net/stef/software/clamsmtp/transparent.html -----Original Message----- From: oscaruser@programmer.net To: stunnel-users@mirt.net Sent: Wed, Dec 29, 2010 4:18 pm Subject: Re: [stunnel-users] Stunnel forwarding IP [second sending of the same message] OK I see transparent configuration option, but looks only available for Linux. Tried on FreeBSD 7.3 amd64 and FBSD 8.1 amd64, with same result, "local_bind (original port): Can't assign requested address (49)". Apparently v8.1 supports IP_BINDANY (man ip 8), but stunnel may not be using this feature (based on searching the stunnel-4.33 source code). -----Original Message----- From: oscaruser@programmer.net To: stunnel-users@mirt.net Sent: Wed, Dec 29, 2010 2:07 pm Subject: [stunnel-users] Stunnel forwarding IP Folks, For my server daemon process, I am accepting incoming requests only from pre-seeded IP addrs. Using Stunnel, I am finding connecting IPs are '127.0.0.1' or localhost. Is there any configuration or solution to represent incoming IPs for the given file descriptor belonging to their originating IP addrs? Thank you. _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
participants (4)
-
jjacksonsr@comcast.net -
Michal Trojnara -
oscaruser@programmer.net -
Peter Pentchev