[sslh] FreeBSD Transparent firewall rules

[Matt Smith]

Hi! I'm trying to get the transparent support working on FreeBSD with a 
slightly different setup and am wondering if I'm just doing something 
wrong or if this just won't work.

I have nginx listening on port 443 and sslh listening on port 444 and 
then I use a firewall rule like this:

ipfw add fwd 10.0.0.10,444 log tcp from 1.2.3.4 to 10.0.0.10 443 in

This allows HTTPS connections to just immediately hit nginx unless they 
come from the 1.2.3.4 IP address in which case they get forwarded to 
sslh. This works fine in non transparent mode.

I switched transparent on and added a second rule to say this:

ipfw add fwd 10.0.0.10,444 log tcp from 10.0.0.10 443 to 1.2.3.4 out

This looks like the kind of thing I would need to say traffic coming 
from port 443 and going to 1.2.3.4 should be forwarded to sslh. However 
trying to test this I just get a connection timed out and this shows in 
the log file:

ipfw: 21 Forward to 10.0.0.10:444 TCP 1.2.3.4:52768 10.0.0.10:443 in 
via re0
ipfw: 22 Forward to 10.0.0.10:444 TCP 10.0.0.10:443 1.2.3.4:52768 
out via re0
ipfw: 21 Forward to 10.0.0.10:444 TCP 1.2.3.4:52768 10.0.0.10:443 in 
via lo0

So it looks like the connection comes in, is forwarded, then the 
response out is also forwarded, but then for some reason it mentioned 
another forward to the lo0 localhost interface?

If I switch it around so that nginx listens on 444 and sslh listens on 
443 and just add the normal firewall rule that is mentioned in the 
readme file then transparent support works as you would expect. So does 
any sslh/ipfw expert know if what I am trying is possible, and if so 
what have I missed. Or am I going to have to just use sslh as designed 
if I want to use transparent support?

PS. Thanks for the 1.17 release Yves and Olivier (Fbsd pkg maintainer)!

Cheers,

-- 
Matt