-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! Could Zorp work as "real" transparent proxy, so neither client nor server will see its IP address? I need this for per ip bandwidth limiting. This example ilustrate this: client1 ----- zorp_transparent_firewall ----- internet ----- server client2 .. clientn Clients have _public_ IPs. Is this possible: When client connects to server, zorp intercept that connection, does protocol analysis etc., and then connents to server as _client_ IP. So, server sees in its log, that connection was made by client, not Zorp machine. If Zorp could do this, I could set per ip bandwitdh limiting (cbq rules) on both firewall interfaces, not only on internal NIC. Therefore outgoing traffic would be shaped too. - -- c0g@wp.pl -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+iCWLPqmVt5WhbA8RAmADAJ0UdLDd7epAp0p5A8m4Jm7phOUXWACeKwva k7sDDpPqozPAww6vqoMyW7w= =QRJL -----END PGP SIGNATURE-----
On Mon, 31 Mar 2003, c0g wrote:
Hi! Could Zorp work as "real" transparent proxy, so neither client nor server will see its IP address? I need this for per ip bandwidth limiting. This example ilustrate this:
client1 ----- zorp_transparent_firewall ----- internet ----- server client2 .. clientn
Clients have _public_ IPs. Is this possible: When client connects to server, zorp intercept that connection, does protocol analysis etc., and then connents to server as _client_ IP. So, server sees in its log, that connection was made by client, not Zorp machine.
If Zorp could do this, I could set per ip bandwitdh limiting (cbq rules) on both firewall interfaces, not only on internal NIC. Therefore outgoing traffic would be shaped too.
Hi, I am not sure about your point of doing traffic shaping, but anyhow you can do it with Zorp of course. You need to use ForgeClientSourceNAT as SNAT, or if you use TransparentRouter you can set the forge_addr attribute to TRUE. Both end up, that when Zorp connects to the server it uses the client original IP address as the source address of the connection. Look out for the routing, the router must route packets to the clients through the fw! Don't forget to use tproxy patch with 2.4 kernels, it's needed for transparency. bye, Marci
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 | You need to use ForgeClientSourceNAT as SNAT, or if you use | TransparentRouter you can set the forge_addr attribute to TRUE. | | Both end up, that when Zorp connects to the server it uses the client | original IP address as the source address of the connection. So - it could be done! Great! :) | I am not sure about your point of doing traffic shaping, but anyhow you | can do it with Zorp of course. The problem with my current squid transparent proxy is that proxied connections come from squid IP. So cbq filters on external NIC (which catch and put into apropriate queues outgoing, non-http traffic) don't work for http. It is a "hole" in my bandwidth limiting scheme; clients can upload thru http at full speed! Of course, I could use squid traffic shaping features, but it is not the right way I think. Squid queue and CBQ queue are separated, and this makes traffic borrowing from unused classes impossible. I read, Zorp support parent proxy, so I could use it as "child" proxy for my squid... *oops* Just now I realized, that connections forwarded to squid will make squid ~ initiate connection to outside world... with its own source IP... :-P But maybe there is solution to my traffic shaping problem? Maybe zorp and/or netfilter can do some magic to translate this connections? Or maybe Zorp has http-cache, so I don't need squid? Greetings! - -- c0g@wp.pl -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+iKThPqmVt5WhbA8RAl4eAJ0TFLGtuq/NKov25B7F34IPMaP4IQCfSuO1 Z3PIvKAG1Fj8ePHp7cemwoQ= =ol6W -----END PGP SIGNATURE-----
On Mon, 31 Mar 2003, c0g wrote:
Just now I realized, that connections forwarded to squid will make squid ~ initiate connection to outside world... with its own source IP... :-P
But maybe there is solution to my traffic shaping problem? Maybe zorp and/or netfilter can do some magic to translate this connections? Or maybe Zorp has http-cache, so I don't need squid?
Hi, Zorp does not hava a built-in http-cache functionality. What you can do is the following: Have your squid in you intranet, and the clients connect to it. The zorp accepts connections only from the squid. When the squid requests an URL from the zorp it puts a X-Forwarded-For: header in the request. With some tricks Zorp can do an SNAT-based on that header. So you can cache the connection, and the connections will look like as they come from the original client. Of course in this way you have to trust the squid, which might be a security risk, and you should also do some kind of verification on the header value. In this way you are not transparent to the clients, cause you have to set the squid as a parent-proxy. I'am just thinking about a soultion to make zorp+squid absolutly transparent to the clients and to the servers. Hope it helps you, Marci
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 31 March 2003 20:46, Illes Marton wrote:
You need to use ForgeClientSourceNAT as SNAT, or if you use TransparentRouter you can set the forge_addr attribute to TRUE.
Both end up, that when Zorp connects to the server it uses the client original IP address as the source address of the connection. that sounds cool, can you describe a little bit more how and where I tell zorp to use the client ip.
- -- Regards, Robert - ---------------- Robert Penz robert.penz AT outertech.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+iL0H8tTsQqJDUBMRAm3EAJ9XBf0UeB00dQIuy98z3pQuy7HKBQCfRPhk 1MSTxGhMkBqjD9jKy5BWvsQ= =Xj8K -----END PGP SIGNATURE-----
On 2003 Apr 01, Robert Penz wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Monday 31 March 2003 20:46, Illes Marton wrote:
You need to use ForgeClientSourceNAT as SNAT, or if you use TransparentRouter you can set the forge_addr attribute to TRUE.
Both end up, that when Zorp connects to the server it uses the client original IP address as the source address of the connection. that sounds cool, can you describe a little bit more how and where I tell zorp to use the client ip.
It is quite easy. When you define the Service eg. HTTP use this: Service("HTTP", HttpProxy, snat=ForgeClientSourceNAT()) # Both 1.4 and 2.0 or Service("HTTP", HttpProxy, router=TransparentRouter(forge_addr=TRUE)) # 2.0 only and the Listerer, which starts this service looks like this: Listener(SockAddrInet("10.20.30.40", 50080), "HTTP") Péter HÖLTZL BalaBit IT Kft | Tel: +36 1 371-0540 | GnuPG Fingerprint: holtzl.peter@balabit.hu | Mobil: +36 20 366-9667 | DB30 5E5B 8777 C06F 5A1F http://www.balabit.hu/ | Fax: +36 1 208-0875 | 4586 CEAF 9678 4A89 CFD6
participants (4)
-
c0g
-
Illes Marton
-
Peter HOLTZL
-
Robert Penz