From owner-freebsd-pf@FreeBSD.ORG Wed Jul 18 21:42:57 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9E42A16A400 for ; Wed, 18 Jul 2007 21:42:57 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (eris.uffner.com [207.245.121.212]) by mx1.freebsd.org (Postfix) with ESMTP id 5B86713C4B4 for ; Wed, 18 Jul 2007 21:42:57 +0000 (UTC) (envelope-from tom@uffner.com) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) by eris.uffner.com (8.13.3/8.13.3) with ESMTP id l6ILLBp5054861 for ; Wed, 18 Jul 2007 17:21:14 -0400 (EDT) (envelope-from tom@uffner.com) Message-ID: <469E8445.6080201@uffner.com> Date: Wed, 18 Jul 2007 17:21:09 -0400 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.4) Gecko/20070714 SeaMonkey/1.1.2 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (eris.uffner.com [192.168.1.212]); Wed, 18 Jul 2007 17:21:16 -0400 (EDT) X-Virus-Scanned: ClamAV 0.88.6/3692/Wed Jul 18 03:39:32 2007 on eris.uffner.com X-Virus-Status: Clean Subject: pf and proxy arp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2007 21:42:57 -0000 If I deploy a pf firewall on a network where the attached routers or hosts can not or will not route the appropriate traffic to the firewall, then the firewall must direct that traffic to itself by either binding the addresses of devices behind it or by publishing proxy-arp for them. For various reasons, binding the addresses either doesn't work or is very inconvenient. That leaves me with proxy arp. I have written rc.d scripts to publish proxy arp for all my non NATed addresses behind the firewall, and/or to read my pf.conf and proxy for all the addresses that are the object of one or more translation rules at startup. But two cases where this static approach becomes problematic are: translation rules that are dynamically added & removed inside anchors, and on redundant CARP firewalls where it is not obvious how the shell can determine the shared MAC address of carpN and presumably only the the box with the fastest heartbeat should be proxying unless it goes down. I think the first case be handled by adding an option to pfctl to add (or delete) an appropriate pub entry in the arp cache any time it is called to add/delete a translation rule, but I am at a bit of a loss for to handle the 2nd case cleanly. Would it cause contention if all the hosts sharing an address via CARP were doing proxy arp for one or more other addresses? Comments? suggestions? thanks, tom