Folks,

Not wanting to sound like the voice in the wilderness... but there is now a FreeBSD 8.x patch for stunnel to utilize the IP_BINDANY setsockopt. It does not work fully, only partly. The partly being the traffic looks like it's coming from the external IP address to the internal service, but the service cannot talk back on this IP address either because of network routing or because the kernel does not recognize the instruction to speak to the foreign address via proxy.

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=153568
http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/stunnel/files/patch-src::common.h?rev=1.8
http://www.freebsd.org/cgi/query-pr-summary.cgi?category=&severity=&priority=&class=&state=&sort=none&text=stunnel&responsible=roam&multitext=&originator=&closedtoo=on&release=

After testing numerous pf rules, I've come to the conclusion pf cannot produce the result. 

nt_if="lo0"
ext_if="ed0"  # 192.168.103.x
ext2_if="ed1" # 10.0.0.5

rdr pass log inet proto tcp from 192.168.103.69 to $int_if port 80 -> $int_if
nat pass log inet proto tcp from 192.168.103.69 to $int_if port 80 -> $int_if

or

pass in log on $ext_if reply-to ($ext2_if 10.0.0.5) from 192.168.103.69 synproxy state

Neither of these methods rules work, but the first actually rewrites the source IP to the internal IP, thereby undoing the proxy function. The second creates a connection, but thus synchronizing the connection at pf, but actual network traffic is listed via tcpdump. 

Another project seems to accomplish this goal via ipfw 'fwd' rules (IPFIREWALL_FORWARD). 

# ipfw add 100 fwd 127.0.0.1,10025 tcp from not me to any 25

http://thewalter.net/stef/software/clamsmtp/transparent.html 


-----Original Message-----
From: oscaruser@programmer.net
To: stunnel-users@mirt.net
Sent: Wed, Dec 29, 2010 4:18 pm
Subject: Re: [stunnel-users] Stunnel forwarding IP

[second sending of the same message]

OK I see transparent configuration option, but looks only available for Linux. Tried on FreeBSD 7.3 amd64 and FBSD 8.1 amd64, with same result, "local_bind (original port): Can't assign requested address (49)". Apparently v8.1 supports IP_BINDANY (man ip 8), but stunnel may not be using this feature (based on searching the stunnel-4.33 source code).




-----Original Message-----
From: oscaruser@programmer.net
To: stunnel-users@mirt.net
Sent: Wed, Dec 29, 2010 2:07 pm
Subject: [stunnel-users] Stunnel forwarding IP

Folks,

For my server daemon process, I am accepting incoming requests only from pre-seeded IP addrs. Using Stunnel, I am finding connecting IPs are '127.0.0.1' or localhost. Is there any configuration or solution to represent incoming IPs for the given file descriptor belonging to their originating IP addrs?

Thank you.

_______________________________________________
stunnel-users mailing list
stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users