Firewall Wizards mailing list archives

IP transparent proxies (source).

From: Steve Kann <stevek () SteveK COM>
Date: Tue, 4 Nov 1997 12:56:57 -0500

Linux Firewallers,

        I've been building a firewall based on Linux, and I'd like to
share a couple of neat little things that I've done. They're not
commercial-quality or anything, but they're pretty slick, and do their
job well.       

        I've been really interested in IP_TRANSPARENT_PROXY stuff, and
have made two tools that are really useful for taking advantage of it.
The first is tplug-gw, which is based on the fwtk plug-gw, and can
transparently proxy tcp connections.  You can then choose via linux'
filtering rules which connections you'd like proxied.  Doing this,
instead of simple packet filtering lets you have better logging, stops
TCP OOB attacks, fragmentation attacks, etc.  I'm not including the
source here yet, because I'm not sure if I'm allowed to redistribute it,
according to the fwtk license.  I might just re-write it from scratch,
as it isn't too complicated, and then it could be released without
problems.

        The second tool, which I'm attaching to the message, is an
apache module called mod_tproxy, which sits in front of the regular
apache proxy module.  When it gets a request, it looks to see if the
local address is the current machine or if the connection has been
redirected by IP_TRANSPARENT_PROXY.  If it's a redirect, it re-writes
the request URI to be in fully-qualified http://host[:port]/file form,
and then passes it up to the proxy module.  In this way, one can
transparently insert a proxy into a network, without requiring explicit
proxy support from the clients, or having to perform any special
configuration.  It seems to work surprisingly well for me.  It's pretty
raw right now, but useful nonetheless.

        Anyways, please let me know if anyone has any comments.


-SteveK


-- 
        Steve Kann   i/o 360 digital design   841 Broadway, Suite 502
  Personal:stevek () SteveK COM (finger for PGP) Business:stevek () io360 com
 I don't want your product or service, and I don't want to make money fast,
    so please don't send me your junk mail telling me about any of it.

Attachment: mod_tproxy.c
Description:

Current thread:

IP transparent proxies (source). Steve Kann (Nov 04)
- Re: IP transparent proxies (source). -= ArkanoiD =- (Nov 07)
- Re: IP transparent proxies (source). Magossa'nyi A'rpa'd (Nov 07)
  - Re: IP transparent proxies (source). -= ArkanoiD =- (Nov 08)
  - Re: IP transparent proxies (source). Mike Shaver (Nov 08)
  - Re: IP transparent proxies (source). Joseph S. D. Yao (Nov 10)