Date: Wed, 29 Apr 1998 14:22:17 -0400 From: "Allen Smith" <easmith@beatrice.rutgers.edu> To: Jonathan Lemon <jlemon@americantv.com>, freebsd-hackers@FreeBSD.ORG Subject: Re: Proxy ARP for transparent firewalling: arp -s pub vs choparp Message-ID: <9804291422.ZM28544@beatrice.rutgers.edu> In-Reply-To: Jonathan Lemon <jlemon@americantv.com> "Re: Proxy ARP for transparent firewalling: arp -s pub vs choparp" (Apr 29, 1:20pm) References: <9804291312.ZM27991@beatrice.rutgers.edu> <19980429132003.21663@right.PCS>
next in thread | previous in thread | raw e-mail | index | archive | help
On Apr 29, 1:20pm, Jonathan Lemon (possibly) wrote: > I have a similar situation, so I should describe what I have setup. Thank you. > > [network]---[ firewall ]--------------------[machineN] > de0 de1 ip: y.y.y.y > ip: x.x.x.x ip: x.x.x.x > ether: a:a:a:a:a:a ether: b:b:b:b:b:b > > Change the /etc/rc.conf on the firewall to: > > 1. configure the firewall interfaces identically: > > ifconfig_de0="inet x.x.x.x netmask 0xffff0000" > ifconfig_de1="inet x.x.x.x netmask 0xffff0000" I may not be seeing something that should be obvious, but why do you have them as the same IP address? Wouldn't this interfere with doing proxying for ftp (needed due to the data connection for interfacing with servers that don't do passive connections properly), etcetera? (We're mainly planning on doing packet filtering, but will do proxying where necessary.) > 2. install direct interface routes for each machine behind > the firewall: > > static_routes="machine1" > route_machine1="y.y.y.y -link de1:b:b:b:b:b:b -iface" > > 3. turn on proxyall (this will pass all arp requests back and > forth between the two interfaces) > > arpproxy_all="YES" Interesting... > 4. add permanent ARP entries for each machine behind the firewall: > (place this in something like /etc/rc.conf.local) > > arp -s machine1 auto pub > > Now, when: > > - the firewall gets an ARP request for any of machineN, it will > answer with it's own MAC entry. Right... > - the firewall gets an IP packet for machineN, it will use the > interface route to send the packet to the internal network. Good... ip_filter with fastroute should work the same way. > - machineN sends an ARP reply, the firewall will use this > for sending to machineN, instead of the `published' MAC entry. Good... > - machineN sends an ARP request, the firewall will forward the > request/reply between the two interfaces. Huh. How is the inner interface of the firewall going to be getting packets with ethernet addresses of exterior machines? If you've instead got the inner machines set up to route to the firewall's inner interface, why should they need to send any ARP requests for exterior machines? > > This may not be the best way to do this, but it works for me. :-) It's certainly not something I'd have ever thought of, but it may be useful. I'll have to think on it some more. Thanks, -Allen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9804291422.ZM28544>