AW: Avoiding DNAT
Harald Scharf
h.scharf@softpoint.at
Fri, 27 Jul 2001 09:01:27 +0200
Hello, Patrick,
You=B4re right, the ip is only submitted, if trhe request ran through a =
proxy.
sorry for this .... :-( (its very hot in austria).
Harald Scharf
Intel Certified Integration Specialist Networking
Softpoint electronic
Netzwerksysteme / Firewalls
Bricks Core Development
mailto:h.scharf@softpoint.at
www.bricks.at
www.softpoint.at
-----Urspr=FCngliche Nachricht-----
Von: Patrick Schaaf [mailto:bof@bof.de]
Gesendet: Freitag, 27. Juli 2001 08:57
An: Harald Scharf
Cc: 'Woody'; Netfilter Mailing List (E-Mail)
Betreff: Re: Avoiding DNAT
> There is nothig to do, because apache (you do use apache, don=B4t you =
?)
> writes the logfile with the ip=B4s from the http header. (OSI Layer =
7)
Sorry, but there is no client IP in the HTTP request headers.
If there were, I wouldn't trust it in any way (it would be
client-supplied, and easily fakeable). The exception to this
rule is clients which already ran through a web proxy - web proxies
tend to note the client IP in some header (e.g. X-Forwarded-For in =
squid).
But that's not part of the HTTP standard request, and not universal.
A solution to the original request, would be to run a reverse proxy
on the firewall machine, and have that reverse proxy do the logging.
A less intruding solution might be using the ULOG target to selectively
log the request packets as they fly by. It should be possible to write
an ULOG user level process which reassembles the TCP stream from client
to server. I don't know whether ULOG sees the original source, though,
so maybe this is not practical right now.
regards
Patrick