Hello,
I'm trying to setup port multiplexing using sslh importantly I have to use that nice 'transparent' feature that makes traffic from sslh distributed locally to look like it comes from external interface. It looks something like this :
Now of course IP C can't directly connect to IP A because this brakes the session. The jail is behind NAT so actually IP A receives packets that doesn't expect at all.
I tried to add rdr rules to change IP A to IP B:443 instead so that sslh will receive them. It was unsuccessful. Also I tried to add rule to NO NAT for that specific case and again try to redirect. No success again. Then I searched around and found that actually outgoing packets can't be redirected by packet filter. The most interesting discussion I came across was this one from the freebsd mailing lists : https://lists.freebsd.org/pipermail/freebsd-pf/2005-September/001495.html
Unfortunately that didn't work out for me too.
If somebody knows how I could do that I would be grateful! If one would like to see some traces or details around the actual setup I could provide that too.
Regards,
Martin
I'm trying to setup port multiplexing using sslh importantly I have to use that nice 'transparent' feature that makes traffic from sslh distributed locally to look like it comes from external interface. It looks something like this :
Code:
Browser[A]-----------[http/ssl]-------> sslh[B 443] ------------nginx[C 4443]----> ......
IP A -> IP B IP A -> IP C - nginx is in jail :)
....-----------------> skipped sslh[B 443] --------------------> Browser[A]
reply back IP C:4443 -> IP A[some port] [TRAFFIC IGNORED]Now of course IP C can't directly connect to IP A because this brakes the session. The jail is behind NAT so actually IP A receives packets that doesn't expect at all.
I tried to add rdr rules to change IP A to IP B:443 instead so that sslh will receive them. It was unsuccessful. Also I tried to add rule to NO NAT for that specific case and again try to redirect. No success again. Then I searched around and found that actually outgoing packets can't be redirected by packet filter. The most interesting discussion I came across was this one from the freebsd mailing lists : https://lists.freebsd.org/pipermail/freebsd-pf/2005-September/001495.html
Unfortunately that didn't work out for me too.
If somebody knows how I could do that I would be grateful! If one would like to see some traces or details around the actual setup I could provide that too.
Regards,
Martin
