[sslh] FreeBSD Transparent firewall rules
Matt Smith
sslh at xtaz.co.uk
Fri Mar 13 15:07:38 CET 2015
Hi! I'm trying to get the transparent support working on FreeBSD with a
slightly different setup and am wondering if I'm just doing something
wrong or if this just won't work.
I have nginx listening on port 443 and sslh listening on port 444 and
then I use a firewall rule like this:
ipfw add fwd 10.0.0.10,444 log tcp from 1.2.3.4 to 10.0.0.10 443 in
This allows HTTPS connections to just immediately hit nginx unless they
come from the 1.2.3.4 IP address in which case they get forwarded to
sslh. This works fine in non transparent mode.
I switched transparent on and added a second rule to say this:
ipfw add fwd 10.0.0.10,444 log tcp from 10.0.0.10 443 to 1.2.3.4 out
This looks like the kind of thing I would need to say traffic coming
from port 443 and going to 1.2.3.4 should be forwarded to sslh. However
trying to test this I just get a connection timed out and this shows in
the log file:
ipfw: 21 Forward to 10.0.0.10:444 TCP 1.2.3.4:52768 10.0.0.10:443 in
via re0
ipfw: 22 Forward to 10.0.0.10:444 TCP 10.0.0.10:443 1.2.3.4:52768
out via re0
ipfw: 21 Forward to 10.0.0.10:444 TCP 1.2.3.4:52768 10.0.0.10:443 in
via lo0
So it looks like the connection comes in, is forwarded, then the
response out is also forwarded, but then for some reason it mentioned
another forward to the lo0 localhost interface?
If I switch it around so that nginx listens on 444 and sslh listens on
443 and just add the normal firewall rule that is mentioned in the
readme file then transparent support works as you would expect. So does
any sslh/ipfw expert know if what I am trying is possible, and if so
what have I missed. Or am I going to have to just use sslh as designed
if I want to use transparent support?
PS. Thanks for the 1.17 release Yves and Olivier (Fbsd pkg maintainer)!
Cheers,
--
Matt
More information about the sslh
mailing list