From owner-freebsd-hackers Wed Apr 29 11:21:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA29001 for freebsd-hackers-outgoing; Wed, 29 Apr 1998 11:21:09 -0700 (PDT) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from sumatra.americantv.com (sumatra.americantv.com [207.170.17.37]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA28972 for ; Wed, 29 Apr 1998 11:20:48 -0700 (PDT) (envelope-from jlemon@americantv.com) Received: from right.PCS (right.PCS [148.105.10.31]) by sumatra.americantv.com (8.8.5/8.8.5) with ESMTP id NAA04086; Wed, 29 Apr 1998 13:20:36 -0500 (CDT) Received: (from jlemon@localhost) by right.PCS (8.6.13/8.6.4) id NAA12074; Wed, 29 Apr 1998 13:20:04 -0500 Message-ID: <19980429132003.21663@right.PCS> Date: Wed, 29 Apr 1998 13:20:04 -0500 From: Jonathan Lemon To: Allen Smith Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: Proxy ARP for transparent firewalling: arp -s pub vs choparp References: <9804291312.ZM27991@beatrice.rutgers.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.61.1 In-Reply-To: <9804291312.ZM27991@beatrice.rutgers.edu>; from Allen Smith on Apr 04, 1998 at 01:12:15PM -0400 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Apr 04, 1998 at 01:12:15PM -0400, Allen Smith wrote: > In this, in order to get the Network Services controlled router to > direct packets that are for our machines to the firewall's exterior > interface, it'll need to be sending our ARP packets that will tell the > router (and the other machines on the local network) that its Ethernet > interface is the one for all our machines' IP addresses. The firewall > (a FreeBSD-stable machine that we're in the process of getting in from > Atipa) will have ip_filter set up on it, which will use its fastroute > capability to route packets to its interior interface if they're for > our machines. Our machines will be set up with the firewall's interior > interface (probably a private IP address, if I can get the routing set > up properly for those - SGI's route implementation seems to be buggy > in this regard, although that may be conflicts with routed) as their > default gateway. I have a similar situation, so I should describe what I have setup. [network]---[ firewall ]--------------------[machineN] de0 de1 ip: y.y.y.y ip: x.x.x.x ip: x.x.x.x ether: a:a:a:a:a:a ether: b:b:b:b:b:b Change the /etc/rc.conf on the firewall to: 1. configure the firewall interfaces identically: ifconfig_de0="inet x.x.x.x netmask 0xffff0000" ifconfig_de1="inet x.x.x.x netmask 0xffff0000" 2. install direct interface routes for each machine behind the firewall: static_routes="machine1" route_machine1="y.y.y.y -link de1:b:b:b:b:b:b -iface" 3. turn on proxyall (this will pass all arp requests back and forth between the two interfaces) arpproxy_all="YES" 4. add permanent ARP entries for each machine behind the firewall: (place this in something like /etc/rc.conf.local) arp -s machine1 auto pub Now, when: - the firewall gets an ARP request for any of machineN, it will answer with it's own MAC entry. - the firewall gets an IP packet for machineN, it will use the interface route to send the packet to the internal network. - machineN sends an ARP reply, the firewall will use this for sending to machineN, instead of the `published' MAC entry. - machineN sends an ARP request, the firewall will forward the request/reply between the two interfaces. This may not be the best way to do this, but it works for me. :-) -- Jonathan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message