Li,

More questions than answers, but we'll get to the cause of this...

Does zorp have a 192.168.88.x address assigned to either of it's interface?  Does it have 2 interfaces or more? Can you provide a tcpdump trace of the sequence leading up to the below and include any ARP requests also?

# tcpdump | grep 172.16.44.10
16:10:57.975579 802.1Q vlan#3 P0 172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680 (DF)
16:10:57.975611 172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680 (DF)
16:10:57.975831 192.168.88.166.2883 > 172.16.44.10.60080: R 3812615646:3812615646(0) win 0
16:10:57.975860 802.1Q vlan#3 P0 192.168.88.166.2883 > 172.16.44.10.60080: R 3812615646:38126156

ie: was there a 3-way TCP handshake between client and server (or zorp) before the above?  What ARP requests/replies were sent/received by the client/zorp/server, if any?  And can you include 'netstat -rn' (routing table) info too please - I'm not sure how these devices are communicating directly unless you have multiple networks (ie 192.168.88.0/24 and 172.16.44.0/24) attached to the same network segment?

I agree that you should not be able to see the client IP - did it work before in the past or is this the first time you've done this?

I see you have VLANs configured also - are these 3 devices the only devices on the network or is it much more complicated than the original ascii diagram?  Can you provide a more detailed diagram showing any other switches/firewalls/gateways on your network?

--
Regards
AJ

NetSafety - Internet Security Made Easy

On 7/10/07, Zhou Li <zhou.li@ca-jc.com > wrote:
Yes, Johns, It work in bridge mode.  //ZhouLi
----- Original Message -----
From: A Johns
Sent: Tuesday, July 10, 2007 14:56
Subject: Re: [zorp] Why client can see ip address of dummy interface

Hi ZhouLi,

See below

On 7/9/07, Zhou Li <zhou.li@ca-jc.com> wrote:
I test Zorp 3.0.14b  +  2.0.6 cttproxy for kernel 2.6.17 and It work fine for me, but I found client can
see ip address of  dummy interface that I can't understand.
 
client(192.168.88.166) <--> zorp(dummy ip 172.16.44.10) <--> server( 192.168.88.10)
 
# iptables -t tproxy -I PREROUTING -p tcp --dport 80 -j TPROXY --on-ip 172.16.44.10 --on-port 60080
 
instances.conf:
http -T -v 1 -s core.error:0 -p /usr/local/etc/zorp/http.py -B 172.16.44.10
 
http.py:
.
.
.
def zorp():
  Service("http", MyHttp, router=TransparentRouter(forge_addr=TRUE, forge_port=Z_PORT_EXACT))
  Listener(SockAddrInet(172.16.44.10, 60080), "http", transparent=TRUE, mark_tproxy=TRUE)
 
when I make a new http request from client to server and tcpdump will display the information below
 
tcpdump on client
# tcpdump | grep 172.16.44.10
16:10:57.975579 802.1Q vlan#3 P0 172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680 (DF)
16:10:57.975611 172.16.44.10.60080 > 192.168.88.166.2883: P 0:32(32) ack 1 win 11680 (DF)
16:10:57.975831 192.168.88.166.2883 > 172.16.44.10.60080: R 3812615646:3812615646(0) win 0
16:10:57.975860 802.1Q vlan#3 P0 192.168.88.166.2883 > 172.16.44.10.60080: R 3812615646:38126156
 
tcpdump on server
# tcpdump | grep 172.16.44.10
16:10:57.538207 arp who-has 192.168.88.10 tell 172.16.44.10
 
my question is how to avoid client see dummy ip address?
 
ZhouLi


Does TProxy work in bridge mode - you appear to have the same network address/mask on both zorp interfaces - is this correct? Or is this on a VMWare system?