From: christopher cuse <ccuse@tiscali.fr>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Proxy Arp question
Date: Sun, 04 May 2003 19:41:04 +0000 [thread overview]
Message-ID: <marc-lartc-105207705621726@msgid-missing> (raw)
In-Reply-To: <marc-lartc-105184920302860@msgid-missing>
hi joseph,
ok, got the picture.
as far as i know, it would be difficult to tinker with proxy_arp, but
you could always turn off arp on the "public" interface with ifconfig.
#ifconfig eth0 -arp
this is a tactic employed by the linux virtual server project, and
*might* do what you want. couldn't test here because of some
particularities with my setup.
a shame that bridging doesn't allow netfiltering (iptables) control --
this would correspond most closely to your goal -- a transparent layer 2
bridge, with layer 3 filtering.
clearly, iptables rules on the INPUT and OUTPUT chains pursuant to the
firewall itself should minimize your risk
best of luck
christopher cuse
On Sat, 2003-05-03 at 17:27, Joseph Watson wrote:
> On Saturday May 3 2003 03:33 am, you wrote:
> > Hi Joseph,
> >
> > I took a look more closely at your schema ...
> >
> ...snip...
> >
> > i'm having a bit of trouble understanding exactly what you're trying to
> > achieve here.
>
> Well let me try to explain a different way. Lets say I have a working network
> with servers providing web pages, dns, mail, etc.... Now I want to put all
> the servers behind a firewall and not have to change my network around by
> subneting or masqerating. So proxy_arp fits the picture well, all I may have
> to do is flush arp cache or wait for a timeout. I did this using shorewall,
> and it is working great. Now my question:
>
> In my current setup, my firewall has a address on my public network (the same
> network as my servers). Is it possable to set up proxy_arp so that the
> proxy_arp-firewall does not have a identity on the public network? This
> would make it transparent and a little more secure because there would be no
> possible way for someone to try to access the firewall directly??
>
>
> ..snip...
>
> >
> > 192.168.1.0/24 dev eth0 scope link
> > 192.168.3.0/24 dev eth1 scope link
> > 127.0.0.0/8 dev lo scope link
> >
> > your routing table is missing localhost, or did you <snip> it? check.
> >
>
> I did snip out all but the routes that pertained to proxy_arp setup :)
>
> --
> Regards
>
> Joseph Watson
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
next prev parent reply other threads:[~2003-05-04 19:41 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-05-02 4:18 [LARTC] Proxy Arp question Joseph Watson
2003-05-02 7:31 ` christopher cuse
2003-05-03 5:02 ` Joseph Watson
2003-05-03 7:35 ` christopher cuse
2003-05-03 15:27 ` Joseph Watson
2003-05-04 18:53 ` Don Cohen
2003-05-04 19:41 ` christopher cuse [this message]
2003-05-04 20:56 ` Martin A. Brown
2003-05-04 22:53 ` Joseph Watson
2003-05-04 23:15 ` Martin A. Brown
2003-05-06 0:15 ` Joseph Watson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-105207705621726@msgid-missing \
--to=ccuse@tiscali.fr \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.