Article delegate-en/4344 of [1-5113] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:]  
Re: Few questions about transparent proxy & srcif
Sun, 11 Jan 2009     Yutaka Sato

Hi,

In message  on 01/11/09(04:24:45)
 |> I should have said that I'm testing these under MacOSX.  I also have
 |> FreeBSD (4, 5, 6 and 7 for testing the binary distribution of DeleGate) but
 |> "ipfw fwd" on them fail with "ipfw: getsockopt(IP_FW_ADD): Invalid argument"
 |> (and I'm not so interested in FreeBSD:p)
 |Seems as kernel rebuilding with "options IPFIREWALL_FORWARD" required.

I know it since I searched what does the error message implies, but
I don't know how to enable the option in the kernel.  If I need some
recompilation or so, I will not try it because I don't like to have
DeleGate depend on some specific kernel option rather than the generic.
Anyway, I'm working on MacOSX in which the option is enabled by default.

 |> Using the same proxy under the same configuration, with the patch,
 |> I confirmed it can be used also as a virtual Host based proxy and
 |> a usual proxy, and an origin server by the following test.
 |Thanks. I patched 9.9.0 with attached patch & confirm that transparent
 |proxy now works on freebsd 6.3-p2 with configuration like:
 |-P127.0.0.1:3128
 |SRCIF=192.168.77.11
 |SERVER="tcprelay://odst.-:-/*"
 |RELAY=vhost
 |
 |But seems at least error reporting to client and proxy forwarding in
 |transparent mode are broken. Client receives blank white page in both
 |cases.

You are specifying SERVER=tcprelay with which no interpretation (or
generation) for an application protocol (HTTP in this case) is done
by DeleGate.  Thus no error message handling is done, and RELAY=vhost
have no effect.  At least you need to specify as
  SERVER="http://odst.-:-"
to enable those capabilities which are specific to the HTTP protocol.

 |PS. Seems you miss my second question about SRCIF and disabling
 |default gateway routing (Q2 in first mail).

We should solve independent problems one by one.
If your requirement is bypassing routing for outgoing connection (and/or
if you can use the network interface for incoming connection for it),
SRCIF="dontroute.clif.-"
will be useful as written in
<URL:http://www.delegate.org/mail-lists/delegate-en/4030>
Maybe you need 9.9.1-pre7 to make this work because this needs recognition
of real incoming interface, which was realized for ipfw in 9.9.1-pre7.

Cheers,
Yutaka
--
  9 9   Yutaka Sato http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller
  search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
Generated:12/20 22:35:51 (0 sec) Expires:12/20 22:35:51 @_@V