[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fix for tircproxy running on PF. Also minport and maxport ability added.

To: <ports@openbsd.org>
Subject: Fix for tircproxy running on PF. Also minport and maxport ability added.
From: "Rukh" <openbsd@rukh.net>
Date: Thu, 25 Apr 2002 14:09:39 +1000

INTRODUCTION:

I recently installed tircproxy (/usr/ports/net/tircproxy) 0.4.5 (the current
version in ports) on my OpenBSD 3.0-STABLE computer and noticed some
problems with the transparent proxying:

1) By default tircproxy (after applying the OpenBSD patch included in the
port) does not enable Transparent proxy mode with PF enabled OpenBSD. (It
does not redefine TRANS 1). I imagine this might have been because despite
the 1.1 patch for the port, transparent mode still does not work.

2) After redefining TRANS 1 I noticed that I was receiving ioctl errors when
the PF section of trans_proxy was trying to use DIOCNATLOOK. After adding in
some debug statements, doing some testing with a client machine and taking a
look at ftp-proxy I came to the conclusion that there were some bugs in
tircproxy.c.

----------------------------------------------------------------------------
--

SYSTEM SETUP:

Here's my system:

[rukh@rukhgate rukh]$ uname -a
OpenBSD rukhgate 3.0 RUKH#8 i386

(note that I'm not using a GENERIC kernel. The only changes I've made
however to the config are a few of the performance enhancements listed on
the OpenBSD page and I've removed ipv6 support). I've also compiled
everything (both kernel and system) with:
-march=i686 -mcpu=i686

It's running on a Celeron 300a with 192MB RAM.

It has all of the PATCH branch patches applied.

I have oidentd installed but not UDB support for it and when I run tircproxy
I disable the ident sharing option with a -I option.

My OpenBSD machine has 2 network cards, rl0 and rl1. rl0 is the external
interface and rl1 is the internal one and sits on 192.168.99.1
I have a client machine on 192.168.99.2

My /etc/nat.conf file looks like this:
##################################
nat on rl0 from 192.168.99.0/24 to any -> rl0

# ftp-proxy support
rdr on rl1 proto tcp from any to any port 21 -> 127.0.0.1 port 8081

# tircproxy support
rdr on rl1 proto tcp from any to any port 6667 -> 127.0.0.1 port 6670
##################################

In /etc/pf.conf I have the following relevant entries:
($int_if is rl1, $ext_if is rl0, $int_ip is 192.168.99.1)

###################################
pass in log quick on $int_if proto tcp from any to 127.0.0.1 port = 8081
flags S/SAFR keep state
pass in log quick on $int_if proto tcp from any to 127.0.0.1 port = 6670
flags S/SAFR keep state
block in quick on $int_if from any to $int_ip

<anti-spoofing stuff in here>

pass in log quick on $ext_if proto tcp from any to any port 49151 >< 65535
flags S/SAFR keep state
###################################

I run tircproxy with the following arguments:

/usr/local/sbin/tircproxy -MRUHID -s 6670 -b 127.0.0.1 -i 192.168.99.1

(with my minport/maxport changes I'll discuss later I in fact use:
/usr/local/sbin/tircproxy -MRUHID -s 6670 -b 127.0.0.1 -i 192.168.99.1 -x
65534
where -x controls the max port number tircproxy will create a listen socket
on for remote machines to DCC to)

----------------------------------------------------------------------------
------

PROBLEMS and RESOLUTION:

First was the inability to get tircproxy running in transparent mode at all
but this was just caused by the lack of TRANS being defined like it is for
IPF mode etc. So I just added:
#define TRANS  1
to the the first #ifdef PF section

Second, after adding in some debug messages I noticed that in trans_proxy
that

1) The struct sockaddr_in ext variable seems to refer the client machines
address (192.168.99.2:someport)
2) The struct sockaddr_in gwy variable refers to the address that tircproxy
is listening on (127.0.0.1:6670)

And that judging from what the IPF code does and what the code does if
tircproxy is *not* running in transparent mode:
3) The struct sockaddr_in to_addr variable refers to the address of the irc
server that we wish to connect to.

However, the code as it stands, for me at least, does not reach the part
where it assigns a value to to_addr as it has an error with the DIOCNATLOOK
ioctl.

After trying a few different things and looking at the ftp-proxy source I
changed the following lines:

I changed:     natlook.direction = PF_IN;
to:                 natlook.direction = PF_OUT;

This resolved the ioctl error but now to_addr was being assigned the same
address as the client machine (192.168.99.2:someport) rather than the
address of the irc server.

So I then also changed:     to_addr.sin_port = natlook.rsport;
to:                                    to_addr.sin_port = natlook.rdport;

And:                                to_addr.sin_addr.s_addr =
natlook.rsaddr.v4.s_addr;
to:                                    to_addr.sin_addr.s_addr =
natlook.rdaddr.v4.s_addr;

This then worked.

-------------------------------------------------------

MINPORT and MAXPORT

After getting tircproxy working I did notice there was still one problem I
was having with my firewall. I only leave open a range of high ports for
incoming connections for use in such things like Active mode FTP connections
with ftp-proxy rather than just letting everything through.
The problem is that tircproxy does not have any sort of minport and maxport
functionality like ftp-proxy as so when I was trying to DCC *to* someone
else (and thus opening a listen socket on my gateway) there was a good
chance it would pick a port to listen on outside of my range of non-filtered
ports.

So, using ftp-proxy's get_backchannel_socket() as a guide I added in
minport/maxport functionality into tircproxy.
I decided to the command line arguments -m <minport> and -x <maxport> to
specify the relevant ports.

I also put all of my minport/maxport changes into #ifdef RANGEDPORTS
sections so by #undef'ing RANGEDPORTS you can ignore these changes. At the
moment I don't #define RANGEDPORTS 1 for IPF or Linux only for PF though it
should work fine with IPF. For Linux, a change would probably have to be
made regarding my use of the IPPORT_HIFIRSTAUTO and IPPORT_HILASTAUTO
#defines from <netinet/in.h> because I believe Linux does not have such
#defines.

--------------------------------------------------------

As I'm new to this list I'm unaware of the protocol on including attachments
so instead I'll provide links to some various patch files I've made.

You can find a list of patches etc. at http://www.rukh.net/tircproxy/


---------------------------------------------------------

I'm new to the submission process, so just in case, all my changes are
released under the BSD license.

-- Rukh

Follow-Ups:
- Re: Fix for tircproxy running on PF. Also minport and maxport ability added.
  - From: Daniel Hartmeier <daniel@benzedrine.cx>

Prev by Date: Re: port of cdrtools
Next by Date: Re: Fix for tircproxy running on PF. Also minport and maxport ability added.
Prev by thread: Your InternetSeer Account Update
Next by thread: Re: Fix for tircproxy running on PF. Also minport and maxport ability added.
Index(es):
- Date
- Thread