Date: Wed, 29 Apr 1998 15:22:08 -0500 From: Jonathan Lemon <jlemon@americantv.com> To: Allen Smith <easmith@beatrice.rutgers.edu> Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: Proxy ARP for transparent firewalling: arp -s pub vs choparp Message-ID: <19980429152208.47192@right.PCS> In-Reply-To: <9804291422.ZM28544@beatrice.rutgers.edu>; from Allen Smith on Apr 04, 1998 at 02:22:17PM -0400 References: <9804291312.ZM27991@beatrice.rutgers.edu> <19980429132003.21663@right.PCS> <9804291422.ZM28544@beatrice.rutgers.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Apr 04, 1998 at 02:22:17PM -0400, Allen Smith wrote: > On Apr 29, 1:20pm, Jonathan Lemon (possibly) wrote: > > > > [network]---[ firewall ]--------------------[machineN] > > de0 de1 ip: y.y.y.y > > ip: x.x.x.x ip: x.x.x.x > > ether: a:a:a:a:a:a ether: b:b:b:b:b:b > > > > Change the /etc/rc.conf on the firewall to: > > > > 1. configure the firewall interfaces identically: > > > > ifconfig_de0="inet x.x.x.x netmask 0xffff0000" > > ifconfig_de1="inet x.x.x.x netmask 0xffff0000" > > I may not be seeing something that should be obvious, but why do you > have them as the same IP address? Wouldn't this interfere with doing > proxying for ftp (needed due to the data connection for interfacing > with servers that don't do passive connections properly), etcetera? > (We're mainly planning on doing packet filtering, but will do proxying > where necessary.) Why not? Since the two networks are separate, the IP address is still unique on each network. > > - machineN sends an ARP request, the firewall will forward the > > request/reply between the two interfaces. > > Huh. How is the inner interface of the firewall going to be getting > packets with ethernet addresses of exterior machines? If you've > instead got the inner machines set up to route to the firewall's inner > interface, why should they need to send any ARP requests for exterior > machines? Perhaps I didn't express myself clearly. The interior machines aren't set up to route through the firewall, their routing tables are exactly the same as if the firewall wasn't there at all. So when they try to send "directly" to a host, the firewall picks up the ARP request, re-transmits it on the other side, gets the response, and enters the response into the firewall's ARP table. Then the firewall creates an ARP reply to interior machine, consisting of the firewall's interior MAC address. So isofar as the internal machines are concerned, they think they have a direct connection to the exterior machines. I also forgot to mention that I have IP forwarding enabled on the "firewall" in this scenario. Actually, it isn't acting as a firewall at all, but a bandwidth limiter, so I can control the amount of bandwidth which the interior machines are able to use. -- Jonathan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980429152208.47192>