Re: [LARTC] Proxy Arp question

[don-lartc@isis.cs3-inc.com (Don Cohen)]

Here's what I believe proxy_arp does.  
If anyone knows better please send corrections.

When an arp request arrives on an interface, if proxy_arp is OFF at
that interface, then we reply only if it asks who has an IP address
assigned to that interface.  In that case we reply that this IP
address is at the MAC address of the receiving interface.

If, however, proxy_arp is ON at that interface, then we check the
routing table (here things get a little fuzzy, since in reality the
routing can depend on all sorts of things other than the destination
address, and the arp request isn't specifying any of those) to find
out, if we were sending a packet to that IP address, which interface
we would use to send it out.  If there is such an interface (we do
have a route to that address) and it's NOT the same one that the
request arrived on, then we reply with the MAC address of the
interface on which the request arrived.

 > Only eth1 has proxy_arp on, but as described earlier, this machine
   is working correctly...

It seems to me that this is possible, but suggests that your other
machines are misconfigured.
Normally if you want to move a machine back and forth between points
X and Y below

 --- router --- hub --- firewall --- X
                 |
                 Y

then the router and that machine both think they are on the same LAN.
That is, the routing table of each will claim that the other can be
reached without an intermediate gateway.  If the router thought the
machine was on its lan but the host to be moved back and forth thought
it could only reach the router through the firewall, and both
interfaces of the firewall had the same IP address, then it would work
(meaning the host and router could communicate in either configuration)
with only the router side interface of the firewall doing proxy_arp.
In this case the host is still communicating with the router through
the firewall even when it's on the outside (at Y).  This is less
efficient than the recommended set up where the host talks directly to
the router when it's outside the firewall.

 > ...  Lets say I have a working network 
 > with servers providing web pages, dns, mail, etc....  Now I want to put all 
 > the servers behind a firewall and not have to change my network around by 
 > subneting or masqerating.  So proxy_arp fits the picture well, all I may have 

You also have to change the routing on the firewall, right?

 > to do is flush arp cache or wait for a timeout.  I did this using shorewall, 
 > and it is working great.  Now my question:
 > 
 > In my current setup, my firewall has a address on my public network (the same 
 > network as my servers).  Is it possable to set up proxy_arp so that the 
 > proxy_arp-firewall does not have a identity on the public network?  This 
 > would make it transparent and a little more secure because there would be no 
 > possible way for someone to try to access the firewall directly??

In order to use proxy_arp your firewall does have to have IP addresses
at its interfaces but not necessarily public ones.  They could be 10.
addresses, for instance.  You might also disallow IP packets to your
firewall other than from particular places (like a trusted machine
inside the firewall).  That is, the firewall could drop packets with
its own destination IP address unless they come from a trusted
interface and/or IP address.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/