Transparent patch README

Transparent Proxy support for the TIS Firewall Toolkit v2.1

These patches will add transparent proxy support to the TIS Firewall toolkit, version 2.0. Apply them to your source tree like any other patch:

cd /usr/src/fwtk; patch -p < /path/to/trans.pch

The main portion of the code is a function added to lib/hnam.c, which works most of the magic. If another OS provides support for this kind of thing, it should not be difficult to add support for it here. I've named it getdsthost(), if only so that my quake proxy (not yet bug-free) which uses this code will hopefully be of benefit to those Gauntlet-toting Quake players out there :-)

The code makes use of the "Transparent Proxy" and port redirection code now found in the Linux Kernel and IP Firewalling package. See the kernel and ipfwadm man pages for details on configuring these.

The code also works with Darren Reed's IP Filter package for [Free| Net|44]BSD (a *very* nice package, IMO). See the man pages for IP Filter's NAT software for details on configuring redirection.

This is how it works:
* Clients configure their default gateways to be the proxy server. Their connections are redirected back to the proxy server by the kernel, and handed to the fwtk software.
* The fwtk software figures out what the intended destination was, and provides appropriate proxy services.
* Whammo-Blammo.

I use the following proxies locally, and they seem to be pretty well behaved: tn-gw, http-gw, rlogin-gw, plug-gw, and ftp-gw. They all work both transparently and "normally."

It should be noted that when I was kludging up ftp-gw, I started with Darren Reed's (darrenr@cyber.com.au) ftp-gw patches from his IP Filter v3.1 package.

Please let me know if you have any questions/problems with this. I've tried to clean up my code for general consumption as best I can. I am already aware of a couple misfeatures/shortcomings:
* HTTPS (SSL) Proxy support in http-gw doesn't work transparently.
* netacl, when running stand-alone, does not support transparent service.
* Authentication to ftp-gw is not supported transparently.
* The patches to ftp-gw are really quite an unpleasant sight.

PLEASE NOTE: I do *not* consider transparent proxy support in the Linux and *BSD kernels a 100% stable feature. If you want solid reliability, buy Gauntlet and BSDI. I've always thought it felt pretty darn stable. I use this code under Linux and BSD myself, due to the cost. And it's fun to play with >:-)

James Croall - jcroall@foo.org