<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1400" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Dear Johns,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Yes,you are right, the real environment is more
<FONT face="Times New Roman" size=3>complicated than my last description. so
I create a new simple environment and test it</FONT></FONT></DIV>
<DIV>again, the new environment have four nodes only, client(firefox)
<->tcpdump<-> zorp <-> server(Internet)</DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>zorp config:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2># brctl show<BR>bridge name
bridge
id
STP enabled
interfaces<BR>br0
8000.003048427898
no
eth0<BR>
eth1</FONT></DIV>
<DIV><FONT face=Arial size=2># ifconfig -a</FONT></DIV>
<DIV><FONT face=Arial size=2>br0 Link
encap:Ethernet HWaddr 00:30:48:42:78:98
<BR> inet
addr:192.168.88.221 Bcast:192.168.88.255
Mask:255.255.255.0<BR> UP
BROADCAST RUNNING PROMISC MULTICAST MTU:1500
Metric:1<BR> RX
packets:2562 errors:0 dropped:0 overruns:0
frame:0<BR> TX packets:371
errors:0 dropped:0 overruns:0
carrier:0<BR> collisions:0
txqueuelen:0 <BR> RX
bytes:448376 (437.8 Kb) TX bytes:136651 (133.4 Kb)</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>dummy0 Link encap:Ethernet
HWaddr 42:CC:24:E8:34:AE
<BR> inet
addr:172.16.44.10 Bcast:172.16.44.11
Mask:255.255.255.254<BR>
UP BROADCAST RUNNING NOARP MTU:1500
Metric:1<BR> RX packets:0
errors:0 dropped:0 overruns:0
frame:0<BR> TX packets:0
errors:0 dropped:0 overruns:0
carrier:0<BR> collisions:0
txqueuelen:0 <BR> RX
bytes:0 (0.0 b) TX bytes:0 (0.0 b)</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>eth0 Link
encap:Ethernet HWaddr 00:30:48:42:78:98
<BR> UP BROADCAST RUNNING
PROMISC MULTICAST MTU:1500
Metric:1<BR> RX
packets:9934 errors:0 dropped:0 overruns:0
frame:0<BR> TX packets:571
errors:0 dropped:0 overruns:0
carrier:0<BR> collisions:0
txqueuelen:1000 <BR> RX
bytes:822121 (802.8 Kb) TX bytes:197993 (193.3
Kb)<BR> Base
address:0xa000 Memory:ec000000-ec020000 </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>eth1 Link
encap:Ethernet HWaddr 00:30:48:42:78:99
<BR> UP BROADCAST RUNNING
PROMISC MULTICAST MTU:1500
Metric:1<BR> RX
packets:364 errors:0 dropped:0 overruns:0
frame:0<BR> TX
packets:1962 errors:0 dropped:0 overruns:0
carrier:0<BR> collisions:0
txqueuelen:1000 <BR> RX
bytes:169726 (165.7 Kb) TX bytes:302393 (295.3
Kb)<BR> Base
address:0xa400 Memory:ec020000-ec040000 </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>lo Link
encap:Local Loopback
<BR> inet
addr:127.0.0.1
Mask:255.0.0.0<BR> UP
LOOPBACK RUNNING MTU:16436
Metric:1<BR> RX packets:33
errors:0 dropped:0 overruns:0
frame:0<BR> TX packets:33
errors:0 dropped:0 overruns:0
carrier:0<BR> collisions:0
txqueuelen:0 <BR> RX
bytes:1916 (1.8 Kb) TX bytes:1916 (1.8 Kb)</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2># ip route list<BR>172.16.44.10/31 dev dummy0
scope link <BR>192.168.88.0/24 dev br0 scope link <BR>127.0.0.0/8 dev
lo scope link <BR>default via 192.168.88.1 dev br0 </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>client ip is 192.168.88.166</FONT></DIV>
<DIV><FONT face=Arial size=2>tcpdump is in bridge mode too, and ip is
192.168.88.220</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>After test it again and again, I think I maybe
found something about why zorp dummy ip will been see by client,
tcpdump output below</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>14:35:06.298555 IP 172.16.44.10.60080 >
192.168.88.166.1665: P 991843042:991843074(32) ack 779229395 win
6432<BR>14:35:06.298923 IP 172.16.44.10.60080 > 192.168.88.166.1665: .
32:1492(1460) ack 1 win 6432<BR>14:35:06.298956 IP 172.16.44.10.60080 >
192.168.88.166.1665: . 1492:2952(1460) ack 1 win 6432<BR>14:35:06.298982 IP
172.16.44.10.60080 > 192.168.88.166.1665: FP 2952:3530(578) ack 1 win
6432<BR>14:35:06.299275 IP 192.168.88.166.1665 > 172.16.44.10.60080: R
779229395:779229395(0) win 0<BR>14:35:06.299298 IP 192.168.88.166.1665 >
172.16.44.10.60080: R 779229395:779229395(0) win 0<BR>14:35:06.299317 IP
192.168.88.166.1665 > 172.16.44.10.60080: R 779229395:779229395(0) win
0<BR>14:35:06.299742 IP 192.168.88.166.1665 > 172.16.44.10.60080: R
779229395:779229395(0) win 0<BR>14:35:09.298919 IP 172.16.44.10.60080 >
192.168.88.166.1665: P 0:32(32) ack 1 win 6432<BR>14:35:09.300223 IP
192.168.88.166.1665 > 172.16.44.10.60080: R 779229395:779229395(0) win
0<BR>14:35:15.296912 IP 172.16.44.10.60080 > 192.168.88.166.1665: P 0:32(32)
ack 1 win 6432<BR>14:35:15.298446 IP 192.168.88.166.1665 >
172.16.44.10.60080: R 779229395:779229395(0) win 0<BR>14:35:26.355720 IP
172.16.44.10.60080 > 192.168.88.166.1666: P 1004186045:1004186077(32) ack
784265389 win 6432</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>if /proc/net/tproxy exist a client<->server
entry, zorp will use it to hide dummy ip, when the entry been delete
for some reason,</FONT></DIV>
<DIV><FONT face=Arial size=2>the zorp can't hide dummy ip.</FONT></DIV>
<DIV><FONT face=Arial size=2>but why the entry will been delete before zorp
finish it's job, I don't know, maybe it's a bug or a unmatched timeout setup, I
guess</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>//ZhouLi</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT><FONT face=Arial size=2></FONT> </DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=andrew.johns@gmail.com href="mailto:andrew.johns@gmail.com">A
Johns</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=zorp@lists.balabit.hu
href="mailto:zorp@lists.balabit.hu">Zorp users mailing list</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Wednesday, July 11, 2007
07:15</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: [zorp] Why client can see ip
address of dummy interface</DIV>
<DIV><FONT face=Arial size=2></FONT><FONT face=Arial size=2></FONT><FONT
face=Arial size=2></FONT><FONT face=Arial
size=2></FONT><BR></DIV>Li,<BR><BR>More questions than answers, but we'll get
to the cause of this...<BR><BR>Does zorp have a 192.168.88.x address assigned
to either of it's interface? Does it have 2 interfaces or more? Can you
provide a tcpdump trace of the sequence leading up to the below and include
any ARP requests also? <BR><BR><SPAN class=q id=q_113aef2e46390760_1>
<DIV><FONT face=Arial size=2># tcpdump | grep <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.44.10/" target=_blank>172.16.44.10</A></FONT> </DIV>
<DIV><FONT face=Arial size=2>16:10:57.975579 802.1Q vlan#3 P0
172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680
(DF)<BR>16:10:57.975611 172.16.44.10.60080 > 192.168.88.166.2883: P
0:32(32) ack 1 win 11680 (DF)<BR>16:10:57.975831 192.168.88.166.2883 >
172.16.44.10.60080: R 3812615646:3812615646(0) win 0<BR>16:10:57.975860 802.1Q
vlan#3 P0 192.168.88.166.2883 > 172.16.44.10.60080: R
3812615646:38126156</FONT></DIV></SPAN><BR>ie: was there a 3-way TCP handshake
between client and server (or zorp) before the above? What ARP
requests/replies were sent/received by the client/zorp/server, if any?
And can you include 'netstat -rn' (routing table) info too please - I'm not
sure how these devices are communicating directly unless you have multiple
networks (ie <A href="http://192.168.88.0/24">192.168.88.0/24</A> and <A
href="http://172.16.44.0/24">172.16.44.0/24</A>) attached to the same network
segment?<BR><BR>I agree that you should not be able to see the client IP - did
it work before in the past or is this the first time you've done this?
<BR><BR>I see you have VLANs configured also - are these 3 devices the only
devices on the network or is it much more complicated than the original ascii
diagram? Can you provide a more detailed diagram showing any other
switches/firewalls/gateways on your network?
<BR><BR>--<BR>Regards<BR>AJ<BR><BR>NetSafety - Internet Security Made
Easy<BR><BR>
<DIV><SPAN class=gmail_quote>On 7/10/07, <B class=gmail_sendername>Zhou Li</B>
<<A href="mailto:zhou.li@ca-jc.com">zhou.li@ca-jc.com </A>>
wrote:</SPAN>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV bgcolor="#ffffff">
<DIV><FONT face=Arial size=2>Yes, Johns, It work in bridge mode.
//ZhouLi</FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: rgb(0,0,0) 2px solid; MARGIN-RIGHT: 0px">
<DIV><SPAN class=e id=q_113aef2e46390760_1>
<DIV
style="FONT: 10pt arial; font-size-adjust: none; font-stretch: normal">-----
Original Message ----- </DIV>
<DIV
style="BACKGROUND: rgb(228,228,228) 0% 50%; FONT: 10pt arial; font-size-adjust: none; font-stretch: normal; moz-background-clip: -moz-initial; moz-background-origin: -moz-initial; moz-background-inline-policy: -moz-initial"><B>From:</B>
<A title=andrew.johns@gmail.com
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:andrew.johns@gmail.com" target=_blank>A Johns</A> </DIV>
<DIV
style="FONT: 10pt arial; font-size-adjust: none; font-stretch: normal"><B>To:</B>
<A title=zorp@lists.balabit.hu
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:zorp@lists.balabit.hu" target=_blank>Zorp users mailing
list</A> </DIV>
<DIV
style="FONT: 10pt arial; font-size-adjust: none; font-stretch: normal"><B>Sent:</B>
Tuesday, July 10, 2007 14:56 </DIV>
<DIV
style="FONT: 10pt arial; font-size-adjust: none; font-stretch: normal"><B>Subject:</B>
Re: [zorp] Why client can see ip address of dummy interface</DIV>
<DIV><BR></DIV>Hi ZhouLi,<BR><BR>See below<BR><BR>
<DIV><SPAN class=gmail_quote>On 7/9/07, <B class=gmail_sendername>Zhou
Li</B> <<A onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:zhou.li@ca-jc.com" target=_blank>zhou.li@ca-jc.com</A>>
wrote:</SPAN>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV bgcolor="#ffffff">
<DIV><FONT face=Arial size=2>I test Zorp 3.0.14b +
2.0.6 cttproxy for kernel 2.6.17 and It work fine for me, but I
found client can</FONT></DIV>
<DIV><FONT face=Arial size=2>see ip address of dummy
interface that I can't understand.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>client(<A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://192.168.88.166" target=_blank>192.168.88.166</A>)
<--> zorp(dummy ip <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.44.10" target=_blank>172.16.44.10</A>) <-->
server(<A onclick="return top.js.OpenExtLink(window,event,this)"
href="http://192.168.88.10" target=_blank>
192.168.88.10</A>)</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV>
<DIV><FONT face=Arial size=2># iptables -t tproxy -I PREROUTING -p tcp
--dport 80 -j TPROXY --on-ip <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.44.10" target=_blank>172.16.44.10</A> --on-port
60080</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV></DIV>
<DIV><FONT face=Arial size=2>instances.conf:</FONT></DIV>
<DIV><FONT face=Arial size=2>http -T -v 1 -s core.error:0 -p
/usr/local/etc/zorp/http.py -B <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.44.10" target=_blank>172.16.44.10</A></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>http.py:</FONT></DIV>
<DIV><FONT face=Arial size=2>.</FONT></DIV>
<DIV><FONT face=Arial size=2>.</FONT></DIV>
<DIV><FONT face=Arial size=2>.</FONT></DIV>
<DIV><FONT face=Arial size=2>def zorp():<BR> Service("http",
MyHttp, router=TransparentRouter(forge_addr=TRUE,
forge_port=Z_PORT_EXACT))<BR> Listener(SockAddrInet(<A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.44.10" target=_blank>172.16.44.10</A>, 60080),
"http", transparent=TRUE, mark_tproxy=TRUE)</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>
<DIV><FONT face=Arial size=2>when I make a new http request from client
to server and tcpdump will display the information
below</FONT></DIV></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>tcpdump on client</FONT></DIV>
<DIV><FONT face=Arial size=2># tcpdump | grep <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.44.10" target=_blank>172.16.44.10</A></FONT></DIV>
<DIV><FONT face=Arial size=2>16:10:57.975579 802.1Q vlan#3 P0
172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680
(DF)<BR>16:10:57.975611 172.16.44.10.60080 > 192.168.88.166.2883: P
0:32(32) ack 1 win 11680 (DF)<BR>16:10:57.975831 192.168.88.166.2883
> 172.16.44.10.60080: R 3812615646:3812615646(0) win
0<BR>16:10:57.975860 802.1Q vlan#3 P0 192.168.88.166.2883 >
172.16.44.10.60080: R 3812615646:38126156</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>tcpdump on server</FONT></DIV>
<DIV><FONT face=Arial size=2>
<DIV><FONT face=Arial size=2># tcpdump | grep <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.44.10"
target=_blank>172.16.44.10</A></FONT></DIV></FONT></DIV>
<DIV><FONT face=Arial size=2>16:10:57.538207 arp who-has <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://192.168.88.10" target=_blank>192.168.88.10</A> tell <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://172.16.44.10" target=_blank>172.16.44.10</A></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>my question is how to avoid client see
dummy ip address?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>ZhouLi</FONT></DIV></DIV></BLOCKQUOTE>
<DIV><BR></DIV>
<DIV><BR>Does TProxy work in bridge mode - you appear to have the same
network address/mask on both zorp interfaces - is this correct? Or is this
on a VMWare system?
<BR><BR></DIV></DIV></SPAN></DIV></BLOCKQUOTE></DIV></BLOCKQUOTE></DIV><BR><BR>
<P>
<HR>
<P></P>_______________________________________________<BR>zorp mailing
list<BR>zorp@lists.balabit.hu<BR>https://lists.balabit.hu/mailman/listinfo/zorp<BR><BR><BR><BR></BLOCKQUOTE>
<BR>
____ KILL邮件安全网关 已经扫描了这封邮件 ____<BR>
</BODY></HTML>