Re: Hiding NATs with PF

From: Max Bolingbroke (batterseapower_at_hotmail.com)
Date: 09/28/05 

Date: 28 Sep 2005 07:59:16 -0700

> > assume application level proxying is not practical
> > in this scenario
>
> Why?
>
> It doesn't have to be application level, a generic TCP proxy will do.
> You can redirect connections to it transparently (without the clients'
> cooperation) and have the proxy find out the real destination from pf,
> connect there and relay. All outgoing connections will then originate
> from the OpenBSD box and have its fingerprints.

Really? That sounds very interesting, I was not aware of such a TCP
proxy. I'll start googling now, but I would be much obliged if you
would point me to a guide on how to do this or link me to the relevant
programs. Thanks!

> Or did you mean 'economical', as in you're (ab)using an ISP contract
> prohibiting multiple hosts to safe a couple of dollars a month, and
> those savings do not warrant you spending time on the setup? Sorry,
> in that case it's not worth anyone else's time, either.

:) I've explained my situation in my reply to Greg Hennessy. If the
network I was attaching to allowed me to pay more for more IP addresses
I would gladly do so rather than attempt this elaborate and time
consuming scheme, but they don't offer that flexibility.

> > Are there any further ways I can have PF munge my
> > outgoing packets so look like they all come from the same flavour of TCP
> > stack?
>
> No.

Nice to see my PF research caught everything! As I said above, I would
be very grateful for any information about transparent TCP proxying
with PF.

Thanks for your reply,

Max

Relevant Pages

  • Re: [fw-wiz] Transparent proxies and PMTUD on the (WWW) server side
    ... > a proxy would preserve the lowered MSS while traversing the firewall: ... > Won't each read return as soon as a new TCP frame arrives ... Consider what happens if TWO segments arrive while your proxy ...
    (Firewall-Wizards)
  • Re: asx wont play (similar issue)
    ... Windows Media Player cannot play the file. ... file type or might not support the codec that was used to compress the file. ... UDP checked (TCP is what's needed here, ... Also it's best not to have anything listed in the RTSP "Proxy" box ...
    (microsoft.public.windowsmedia.player)
  • RE: Which Proxy Server....
    ... HTTP, FTP, Telnet, SSL, NNTP and E-Mail all use TCP and can be easily ... MANY proxy servers exists for this purpose. ...
    (Security-Basics)
  • Re: Internal TCP/IP send buffer?
    ... it's a rare application that truly needs to use TCP and disable Nagle. ... Ordering packets is dead easy, ... > non-existent UDP to behave more like TCP. ... Server is connected to Proxy over gigabit ethernet. ...
    (microsoft.public.win32.programmer.networks)
  • Re: Internal TCP/IP send buffer?
    ... That really great adaptative feature of modern MS TCP stack to change! ... >> connection. ... Server is connected to Proxy over gigabit ethernet. ...
    (microsoft.public.win32.programmer.networks)