Improvement on FreeBSD/OpenBSD support

[ge9]

Hi,

I tested and modified redsocks2 to work (more) correctly in FreeBSD and OpenBSD: https://github.com/ge9/redsocks .
All are tested with DISABLE_SHADOWSOCKS=true and SOCKS5 proxy.

• See added support for FreeBSD/OpenBSD #201 for updated information.

I may send pull request in the future.

FreeBSD

Tested with FreeBSD 14.0, ipfw, with redirector=generic.

The main point is ignoring "bind" error at bound_udp_get(). Also, sizeof(struct sockaddr_in) seems to be required to avoid "Invalid address" error. (ge9@69541db)

This is my script for ipfw/ifconfig.

kldload ipfw
fwcmd=ipfw
ifconfig em0 alias 10.0.2.25 netmask 0xffffff00
$fwcmd add 100 allow all from any to any via lo0
$fwcmd add 500 fwd 127.0.0.1,22222 tcp from 10.0.2.25 to any
$fwcmd add 600 fwd 127.0.0.1,22222 udp from 10.0.2.25 to any
$fwcmd add 700 allow ip from any to any

FreeBSD has firewalls other than IPFW, i.e. pf and ipfilter (ipf).

pf partially worked but destination addresses were obtained as the transparent proxy port (127.0.0.1:22222), useless in actual cases.
See also OpenBSD results.

FYI, this is my configiration.

rdr pass on lo0 proto {tcp, udp} from 10.0.2.25 -> 127.0.0.1 port 22222
pass out quick route-to lo0 from 10.0.2.25
pass

I couldn't figure out how to set up ipfilter for transparent proxy (though it seems supported by redsocks according to documentation).

I also tried pfSense, but strangely, only UDP worked. (TCP packets won't be received by redsocks).

OpenBSD

Tested with OpenBSD 7.5 and pf, redirector=generic.

I added 10.0.2.25 as before, and this is the configuration.

pass        # establish keep-state
pass in quick proto {tcp, udp} from 10.0.2.25 to ! 10.0.2.25 divert-to 127.0.0.1 port 22222
pass out quick proto {tcp, udp} from 10.0.2.25 route-to lo0

To make it work, I added some options like IP_RECVDSTADDR for sockets, according to man page documentation on divert-to syntax. ge9@65fa263
Currently it should support only IPv4.

If we use rdr-to instead of divert-to here, the destination addresses are obtained as 127.0.0.1:22222, which explains the behavior of FreeBSD's pf.

If I use redirector=pf instead, at least in my case, TCP didn't work. But this can be fixed because TCP packets are received by redsocks with correct destination address.

I also tried NetBSD which OpenBSD originates from, but it seems that there are no divert-to in NetBSD's pf.

[semigodking]

I'm so looking forward to your pull request!

…

On Tue, Jun 11, 2024, 15:40 ge9 ***@***.***> wrote: Hi, I tested and modified redsocks2 to work (more) correctly in FreeBSD and OpenBSD: https://github.com/ge9/redsocks . All are tested with DISABLE_SHADOWSOCKS=true and SOCKS5 proxy. I may send pull request in the future. FreeBSD Tested with FreeBSD 14.0, ipfw, with redirector=generic. The main point is ignoring "bind" error at bound_udp_get(). Also, sizeof(struct sockaddr_in) seems to be required to avoid "Invalid address" error. (ge9@ 69541db <ge9@69541db> ) This is my script for ipfw/ifconfig. kldload ipfw fwcmd=ipfw ifconfig em0 alias 10.0.2.25 netmask 0xffffff00 $fwcmd add 100 allow all from any to any via lo0 $fwcmd add 500 fwd 127.0.0.1,22222 tcp from 10.0.2.25 to any $fwcmd add 600 fwd 127.0.0.1,22222 udp from 10.0.2.25 to any $fwcmd add 700 allow ip from any to any FreeBSD has firewalls other than IPFW, i.e. pf and ipfilter (ipf). pf partially worked but destination addresses were obtained as the transparent proxy port (127.0.0.1:22222), useless in actual cases. See also OpenBSD results. FYI, this is my configiration. rdr pass on lo0 proto {tcp, udp} from 10.0.2.25 -> 127.0.0.1 port 22222 pass out quick route-to lo0 from 10.0.2.25 pass I couldn't figure out how to set up ipfilter for transparent proxy (though it seems supported by redsocks according to documentation). I also tried pfSense, but strangely, only UDP worked. (TCP packets won't be received by redsocks). OpenBSD Tested with OpenBSD 7.5 and pf, redirector=generic. I added 10.0.2.25 as before, and this is the configuration. pass # establish keep-state pass in quick proto {tcp, udp} from 10.0.2.25 to ! 10.0.2.25 divert-to 127.0.0.1 port 22222 pass out quick proto {tcp, udp} from 10.0.2.25 route-to lo0 To make it work, I added some options like IP_RECVDSTADDR for sockets, according to man page documentation on divert-to syntax. ***@***.*** <ge9@65fa263> Currently it should support only IPv4. If we use rdr-to instead of divert-to here, the destination addresses are obtained as 127.0.0.1:22222, which explains the behavior of FreeBSD's pf. If I use redirector=pf instead, at least in my case, TCP didn't work. But this can be fixed because TCP packets are received by redsocks with correct destination address. I also tried NetBSD which OpenBSD originates from, but it seems that there are no divert-to in NetBSD's pf. — Reply to this email directly, view it on GitHub <#200>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAP2XD7SI6QB23DDGHSAQM3ZG2SXJAVCNFSM6AAAAABJDX2SK2VHI2DSMVQWIX3LMV43ASLTON2WKOZSGM2DKNRUGI2TKMY> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>