freebsd security - Jun 2003 - redirect unauthorized users to a login page (natd as a transparent proxy)

Hello

I am trying to redirect all http traffic of unauthorized wifi users on a
wireless hotspot to a login page. The problem I have is that I can not
disable the regular address translation (I want the source address to stay
the same).

10.0.0.7       is the wifi client
195.250.155.29 is the web wifi user tries to access from his browser
195.113.17.94  is my login page
10.0.0.1       is the wifi interface on the server

What happens is

In  [TCP]  [TCP] 10.0.0.7:1036 -> 195.250.155.29:80 aliased to
           [TCP] 10.0.0.1:1036 -> 195.113.17.94:80

The natd configuration file:
-------------------------------------------------------------------------
interface wi0
port 1234
#proxy_only yes
reverse
proxy_rule port 80 server 195.113.17.94:80
-------------------------------------------------------------------------

Natd was run as natd -f /etc/natd.conf -v with
00010 divert 1234 tcp from any to any via wi0

I was hoping proxy_only will do the trick but it does not seem to have
any impact and the source address is changed anyway.

A quick glance at the source did not help much to my understanding of the
proxy_only option.

Thank you very moch for any hints,

Vaclav

On Sun, Jun 08, 2003 at 10:35:47PM +0200, Vaclav Petricek
wrote:
> 
> Hello
> 
> I am trying to redirect all http traffic of unauthorized wifi users on a
> wireless hotspot to a login page. The problem I have is that I can not
> disable the regular address translation (I want the source address to stay
> the same).
> 
> 10.0.0.7       is the wifi client
> 195.250.155.29 is the web wifi user tries to access from his browser
> 195.113.17.94  is my login page
> 10.0.0.1       is the wifi interface on the server
> 
> What happens is
> 
> In  [TCP]  [TCP] 10.0.0.7:1036 -> 195.250.155.29:80 aliased to
>            [TCP] 10.0.0.1:1036 -> 195.113.17.94:80
> 
> The natd configuration file:
> -------------------------------------------------------------------------
> interface wi0
> port 1234
> #proxy_only yes
> reverse
> proxy_rule port 80 server 195.113.17.94:80
> -------------------------------------------------------------------------
> 
> Natd was run as natd -f /etc/natd.conf -v with
> 00010 divert 1234 tcp from any to any via wi0
> 
> I was hoping proxy_only will do the trick but it does not seem to have
> any impact and the source address is changed anyway.
> 
> A quick glance at the source did not help much to my understanding of the
> proxy_only option.
> 
Confirmed as a bug.  The attached patch worked for me,
please test it.  You'll have to recompile and reinstall
libalias(3), then recompile and reinstall natd(8) with
new library.


Cheers,
-- 
Ruslan Ermilov		Sysadmin and DBA,
ru@sunbay.com		Sunbay Software Ltd,
ru@FreeBSD.org		FreeBSD committer
-------------- next part --------------
Index: alias.c
==================================================================RCS file:
/home/ncvs/src/lib/libalias/alias.c,v
retrieving revision 1.36
diff -u -p -r1.36 alias.c
--- alias.c	23 Jul 2002 00:16:19 -0000	1.36
+++ alias.c	8 Jun 2003 21:56:06 -0000
@@ -1057,7 +1057,8 @@ TcpAliasOut(struct ip *pip, int maxpacke
 
     link = FindUdpTcpOut(pip->ip_src, pip->ip_dst,
                          tc->th_sport, tc->th_dport,
-                         IPPROTO_TCP, 1);
+                         IPPROTO_TCP,
+                         !(packetAliasMode & PKT_ALIAS_PROXY_ONLY));
     if (link !=NULL)
     {
         u_short alias_port;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030609/4c3c4bc2/attachment.bin