From owner-freebsd-stable Tue Apr 28 08:03:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA09193 for freebsd-stable-outgoing; Tue, 28 Apr 1998 08:03:02 -0700 (PDT) (envelope-from owner-freebsd-stable@FreeBSD.ORG) Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id IAA09080 for ; Tue, 28 Apr 1998 08:02:56 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (950413.SGI.8.6.12/950213.SGI.AUTOCF) id KAA04532 for freebsd-stable@FreeBSD.ORG; Tue, 28 Apr 1998 10:40:06 -0400 From: "Allen Smith" Message-Id: <9804281040.ZM4530@beatrice.rutgers.edu> Date: Tue, 28 Apr 1998 10:40:06 -0400 X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: freebsd-stable@FreeBSD.ORG Subject: Proxy ARP: arp -s vs choparp Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk Hi. We're looking at using a FreeBSD-stable system as a firewall machine. We've got the problem with this that, due to internal political problems, we can't actually set the machine up as a router. I'm therefore intending on using ip_filter and its fastroute capabilities, under which things get chucked to a rule-determined interface without worrying about routed et al. However, this has the problem of how are machines on the outside interface going to know that they should send packets for the inner machines to the outside interface's ethernet address. The solution appears to be proxy ARP. I now have the question of how to do proxy ARP. There appear to be two possibilities: 1. arp -s Advantages: A. Doesn't require running a choparp process, thus consuming CPU cycles (of concern when filtering an Ethernet, especially since we're considering going to 100Base-TX) B. Doesn't require a permanent BPF, which is a potential security problem (sniffing et al if somebody breaks into the firewall machine) Disadvantages: A. I don't know how to make sure the kernel doesn't try using the entries itself when it's routing stuff via the interior interface B. I don't know how to make sure the broadcasts aren't out the interior interface 2. choparp (in the net/ports) Advantages: A. The broadcasts are automatically interface-linked B. So far as I can tell from reading over the kernel source code (I'm admittedly not much of a C programmer - I prefer Perl), the kernel will ignore ARP responses coming from itself Disadvantages: A. See above under arp -s's advantages Any advice? Should I also send this to freebsd-isp@FreeBSD.ORG (as the people who deal most with firewalls) and/or freebsd-hackers@FreeBSD.ORG (where I've found the most proxy arp discussions)? Thanks, -Allen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message