Article delegate-en <_A4344@delegate-en.ML_>
  upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[delegate-en/4344] [Reference:<_A4342@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: Few questions about transparent proxy & srcif
11 Jan 2009 05:41:14 GMT (Yutaka Sato)
The DeleGate Project


In message <_A4342@delegate-en.ML_> on 01/11/09(04:24:45)
 |> I should have said that I'm testing these under MacOSX.  I also have
 |> FreeBSD (4, 5, 6 and 7 for testing the binary distribution of DeleGate) but
 |> "ipfw fwd" on them fail with "ipfw: getsockopt(IP_FW_ADD): Invalid argument"
 |> (and I'm not so interested in FreeBSD:p)
 |Seems as kernel rebuilding with "options IPFIREWALL_FORWARD" required.

I know it since I searched what does the error message implies, but
I don't know how to enable the option in the kernel.  If I need some
recompilation or so, I will not try it because I don't like to have
DeleGate depend on some specific kernel option rather than the generic.
Anyway, I'm working on MacOSX in which the option is enabled by default.

 |> Using the same proxy under the same configuration, with the patch,
 |> I confirmed it can be used also as a virtual Host based proxy and
 |> a usual proxy, and an origin server by the following test.
 |Thanks. I patched 9.9.0 with attached patch & confirm that transparent
 |proxy now works on freebsd 6.3-p2 with configuration like:
 |But seems at least error reporting to client and proxy forwarding in
 |transparent mode are broken. Client receives blank white page in both

You are specifying SERVER=tcprelay with which no interpretation (or
generation) for an application protocol (HTTP in this case) is done
by DeleGate.  Thus no error message handling is done, and RELAY=vhost
have no effect.  At least you need to specify as
to enable those capabilities which are specific to the HTTP protocol.

 |PS. Seems you miss my second question about SRCIF and disabling
 |default gateway routing (Q2 in first mail).

We should solve independent problems one by one.
If your requirement is bypassing routing for outgoing connection (and/or
if you can use the network interface for incoming connection for it),
will be useful as written in
Maybe you need 9.9.1-pre7 to make this work because this needs recognition
of real incoming interface, which was realized for ipfw in 9.9.1-pre7.

  9 9   Yutaka Sato <>
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]