[LARTC] Proxy Arp question

[LARTC] Proxy Arp question

[Joseph Watson]

Hello,

I have been digging around for a while trying to get a good understanding of 
how to configure linux to do proxy arp.  I understand the conncept well 
(there is lots of info on this), but am struggling to get a clear 
understanding of implimenting it on linux. 

First question:
Is the following possible, or does the firewall have to have a address on 
192.168.1.0/24 network??  My thought was I could add a route on eth0 to the 
192.168.1.0/24 network, and a route on eth1 to the host 192.168.1.2 and then 
turn on proxy arp.

    192.168.1.0/24
              |
   eth0: 192.168.2.1
        Firewall
   eth1: 192.168.3.1
              |
      192.168.1.2


Second question:
I have been using Shorewall as a firewall, and it comes with proxyarp 
capability.  Here is the working configuration of my firewall using proxy 
arp:

    192.168.1.0/24
              |
   eth0: 192.168.1.1
        Firewall
   eth1: 192.168.3.1
              |
      192.168.1.2

There are the following routes:
 192.168.1.2 dev eth1  scope link
 192.168.1.0/24 dev eth0  scope link

This makes sence.  Where I am confused is when I check the proxy_arp settings:

[]# cat /proc/sys/net/ipv4/conf/eth0/proxy_arp
0
[]# cat /proc/sys/net/ipv4/conf/eth1/proxy_arp
1
[]#

Why is proxy_arp not turned on for eth0??  Every howto I can find says to turn 
on proxy_arp for both interfaces.  

Thanks for any help.

-- 
Regards

Joseph Watson
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Proxy Arp question

[christopher cuse]

Hi Joseph,

In order to set proxy_arp, and lots of other great stuff, check out

[root@drs0 etc]# man sysctl
<snip>

[root@drs0 etc]# sysctl -a | grep proxy_arp
net.ipv4.conf.ppp1.proxy_arp = 0
net.ipv4.conf.ppp0.proxy_arp = 0
net.ipv4.conf.eth1.proxy_arp = 0
net.ipv4.conf.eth0.proxy_arp = 0
net.ipv4.conf.lo.proxy_arp = 0
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.all.proxy_arp = 0

so now, add the the line 

net.ipv4.conf.all.proxy_arp = 1

to your /etc/sysctl.conf file and it will loaded each time your network
starts. This is also a good place to add net.ipv4.ip_forward = 1 as
well.

Hope this helps.

Cheers

Christopher CUSE



On Fri, 2003-05-02 at 06:18, Joseph Watson wrote:
> Hello,
> 
> I have been digging around for a while trying to get a good understanding of 
> how to configure linux to do proxy arp.  I understand the conncept well 
> (there is lots of info on this), but am struggling to get a clear 
> understanding of implimenting it on linux. 
> 
> First question:
> Is the following possible, or does the firewall have to have a address on 
> 192.168.1.0/24 network??  My thought was I could add a route on eth0 to the 
> 192.168.1.0/24 network, and a route on eth1 to the host 192.168.1.2 and then 
> turn on proxy arp.
> 
>     192.168.1.0/24
>               |
>    eth0: 192.168.2.1
>         Firewall
>    eth1: 192.168.3.1
>               |
>       192.168.1.2
> 
> 
> Second question:
> I have been using Shorewall as a firewall, and it comes with proxyarp 
> capability.  Here is the working configuration of my firewall using proxy 
> arp:
> 
>     192.168.1.0/24
>               |
>    eth0: 192.168.1.1
>         Firewall
>    eth1: 192.168.3.1
>               |
>       192.168.1.2
> 
> There are the following routes:
>  192.168.1.2 dev eth1  scope link
>  192.168.1.0/24 dev eth0  scope link
> 
> This makes sence.  Where I am confused is when I check the proxy_arp settings:
> 
> []# cat /proc/sys/net/ipv4/conf/eth0/proxy_arp
> 0
> []# cat /proc/sys/net/ipv4/conf/eth1/proxy_arp
> 1
> []#
> 
> Why is proxy_arp not turned on for eth0??  Every howto I can find says to turn 
> on proxy_arp for both interfaces.  
> 
> Thanks for any help.
> 
> -- 
> Regards
> 
> Joseph Watson
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Proxy Arp question

[Joseph Watson]

On Friday May 2 2003 03:30 am, you wrote:
> Hi Joseph,
>
> In order to set proxy_arp, and lots of other great stuff, check out
>
> [root@drs0 etc]# man sysctl
> <snip>
>
> [root@drs0 etc]# sysctl -a | grep proxy_arp
> net.ipv4.conf.ppp1.proxy_arp = 0
> net.ipv4.conf.ppp0.proxy_arp = 0
> net.ipv4.conf.eth1.proxy_arp = 0
> net.ipv4.conf.eth0.proxy_arp = 0
> net.ipv4.conf.lo.proxy_arp = 0
> net.ipv4.conf.default.proxy_arp = 0
> net.ipv4.conf.all.proxy_arp = 0
>
snip.....

Here is the settings on my firewall:

[jtwatson]# sysctl -a | grep proxy_arp
net.ipv4.conf.ipsec0.proxy_arp = 0
net.ipv4.conf.eth3.proxy_arp = 0
net.ipv4.conf.eth1.proxy_arp = 1
net.ipv4.conf.eth0.proxy_arp = 0
net.ipv4.conf.lo.proxy_arp = 0
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.all.proxy_arp = 0

Only eth1 has proxy_arp on, but as described earlier, this machine is working 
correctly.  I have servers in my dmz (eth1) that are on the same network as 
my wan (eth0) and proxy_arp is doing its job.

Why do all the howto's say to turn on proxy_arp on both interfaces, and I have 
working proof that is not the case.  Maybe I am missing something else?? 

Bottom line is I am trying to understand in detail how the kernel need to be 
configured.  I don't like to just make it work, and not understand why it is 
working.

-- 
Regards

Joseph Watson
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Proxy Arp question

[christopher cuse]

hi joseph,

i took a look more closely at your schema ...


On Fri, 2003-05-02 at 06:18, Joseph Watson wrote:
> Hello,
> 
> I have been digging around for a while trying to get a good understanding of 
> how to configure linux to do proxy arp.  I understand the conncept well 
> (there is lots of info on this), but am struggling to get a clear 
> understanding of implimenting it on linux. 
> 
> First question:
> Is the following possible, or does the firewall have to have a address on 
> 192.168.1.0/24 network??  My thought was I could add a route on eth0 to the 
> 192.168.1.0/24 network, and a route on eth1 to the host 192.168.1.2 and then 
> turn on proxy arp.
> 
>     192.168.1.0/24
>               |
>    eth0: 192.168.2.1
>         Firewall
>    eth1: 192.168.3.1
>               |
>       192.168.1.2

i'm having a bit of trouble understanding exactly what you're trying to
achieve here.

a host's gateway needs to be on the same same subnet, therefore your
schema should read

       192.168.1.2-254/24 <- (hosts 2 thru 254)
               |
    eth0: 192.168.1.1/24
         Firewall
    eth1: 192.168.3.1/24
               |
       192.168.3.2-254/24 <- (hosts 2 thru 254)

unless you have your doing something special where host 192.168.1.2
(from your diagram) is "logically" on the 192.168.1.0/24 subnet although
it is not "physically." Is this the case (tunelling/vpn)?

if your setup is indeed as i have indicated, then you can set firewall
rules, allowing a host(s) on the 192.168.3.0/24 subnet to host(s) and
service(s) on the 192.168.1.0/24 subnet without issue.


> Second question:
> I have been using Shorewall as a firewall, and it comes with proxyarp 
> capability.  Here is the working configuration of my firewall using proxy 
> arp:
> 
>     192.168.1.0/24
>               |
>    eth0: 192.168.1.1
>         Firewall
>    eth1: 192.168.3.1
>               |
>       192.168.1.2
> 
> There are the following routes:
>  192.168.1.2 dev eth1  scope link
>  192.168.1.0/24 dev eth0  scope link
> 
> This makes sence.  Where I am confused is when I check the proxy_arp settings:
> 
> []# cat /proc/sys/net/ipv4/conf/eth0/proxy_arp
> 0
> []# cat /proc/sys/net/ipv4/conf/eth1/proxy_arp
> 1
> []#
> 
> Why is proxy_arp not turned on for eth0??  Every howto I can find says to turn 
> on proxy_arp for both interfaces.  
 
192.168.1.0/24 dev eth0  scope link
192.168.3.0/24 dev eth1  scope link
127.0.0.0/8 dev lo  scope link

your routing table is missing localhost, or did you <snip> it? check.

cheers

christopher cuse



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Proxy Arp question

[Joseph Watson]

On Saturday May 3 2003 03:33 am, you wrote:
> Hi Joseph,
>
> I took a look more closely at your schema ...
>
...snip...
>
> i'm having a bit of trouble understanding exactly what you're trying to
> achieve here.

Well let me try to explain a different way.  Lets say I have a working network 
with servers providing web pages, dns, mail, etc....  Now I want to put all 
the servers behind a firewall and not have to change my network around by 
subneting or masqerating.  So proxy_arp fits the picture well, all I may have 
to do is flush arp cache or wait for a timeout.  I did this using shorewall, 
and it is working great.  Now my question:

In my current setup, my firewall has a address on my public network (the same 
network as my servers).  Is it possable to set up proxy_arp so that the 
proxy_arp-firewall does not have a identity on the public network?  This 
would make it transparent and a little more secure because there would be no 
possible way for someone to try to access the firewall directly??


..snip...

>
> 192.168.1.0/24 dev eth0  scope link
> 192.168.3.0/24 dev eth1  scope link
> 127.0.0.0/8 dev lo  scope link
>
> your routing table is missing localhost, or did you <snip> it? check.
>

I did snip out all but the routes that pertained to proxy_arp setup  :)

-- 
Regards

Joseph Watson
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Proxy Arp question

[Don Cohen]

Here's what I believe proxy_arp does.  
If anyone knows better please send corrections.

When an arp request arrives on an interface, if proxy_arp is OFF at
that interface, then we reply only if it asks who has an IP address
assigned to that interface.  In that case we reply that this IP
address is at the MAC address of the receiving interface.

If, however, proxy_arp is ON at that interface, then we check the
routing table (here things get a little fuzzy, since in reality the
routing can depend on all sorts of things other than the destination
address, and the arp request isn't specifying any of those) to find
out, if we were sending a packet to that IP address, which interface
we would use to send it out.  If there is such an interface (we do
have a route to that address) and it's NOT the same one that the
request arrived on, then we reply with the MAC address of the
interface on which the request arrived.

 > Only eth1 has proxy_arp on, but as described earlier, this machine
   is working correctly...

It seems to me that this is possible, but suggests that your other
machines are misconfigured.
Normally if you want to move a machine back and forth between points
X and Y below

 --- router --- hub --- firewall --- X
                 |
                 Y

then the router and that machine both think they are on the same LAN.
That is, the routing table of each will claim that the other can be
reached without an intermediate gateway.  If the router thought the
machine was on its lan but the host to be moved back and forth thought
it could only reach the router through the firewall, and both
interfaces of the firewall had the same IP address, then it would work
(meaning the host and router could communicate in either configuration)
with only the router side interface of the firewall doing proxy_arp.
In this case the host is still communicating with the router through
the firewall even when it's on the outside (at Y).  This is less
efficient than the recommended set up where the host talks directly to
the router when it's outside the firewall.

 > ...  Lets say I have a working network 
 > with servers providing web pages, dns, mail, etc....  Now I want to put all 
 > the servers behind a firewall and not have to change my network around by 
 > subneting or masqerating.  So proxy_arp fits the picture well, all I may have 

You also have to change the routing on the firewall, right?

 > to do is flush arp cache or wait for a timeout.  I did this using shorewall, 
 > and it is working great.  Now my question:
 > 
 > In my current setup, my firewall has a address on my public network (the same 
 > network as my servers).  Is it possable to set up proxy_arp so that the 
 > proxy_arp-firewall does not have a identity on the public network?  This 
 > would make it transparent and a little more secure because there would be no 
 > possible way for someone to try to access the firewall directly??

In order to use proxy_arp your firewall does have to have IP addresses
at its interfaces but not necessarily public ones.  They could be 10.
addresses, for instance.  You might also disallow IP packets to your
firewall other than from particular places (like a trusted machine
inside the firewall).  That is, the firewall could drop packets with
its own destination IP address unless they come from a trusted
interface and/or IP address.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Proxy Arp question

[christopher cuse]

hi joseph,

ok, got the picture.

as far as i know, it would be difficult to tinker with proxy_arp, but
you could always turn off arp on the "public" interface with ifconfig.

#ifconfig eth0 -arp

this is a tactic employed by the linux virtual server project, and
*might* do what you want. couldn't test here because of some
particularities with my setup. 

a shame that bridging doesn't allow netfiltering (iptables) control --
this would correspond most closely to your goal -- a transparent layer 2
bridge, with layer 3 filtering.

clearly, iptables rules on the INPUT and OUTPUT chains pursuant to the
firewall itself should minimize your risk


best of luck

christopher cuse

On Sat, 2003-05-03 at 17:27, Joseph Watson wrote:
> On Saturday May 3 2003 03:33 am, you wrote:
> > Hi Joseph,
> >
> > I took a look more closely at your schema ...
> >
> ...snip...
> >
> > i'm having a bit of trouble understanding exactly what you're trying to
> > achieve here.
> 
> Well let me try to explain a different way.  Lets say I have a working network 
> with servers providing web pages, dns, mail, etc....  Now I want to put all 
> the servers behind a firewall and not have to change my network around by 
> subneting or masqerating.  So proxy_arp fits the picture well, all I may have 
> to do is flush arp cache or wait for a timeout.  I did this using shorewall, 
> and it is working great.  Now my question:
> 
> In my current setup, my firewall has a address on my public network (the same 
> network as my servers).  Is it possable to set up proxy_arp so that the 
> proxy_arp-firewall does not have a identity on the public network?  This 
> would make it transparent and a little more secure because there would be no 
> possible way for someone to try to access the firewall directly??
> 
> 
> ..snip...
> 
> >
> > 192.168.1.0/24 dev eth0  scope link
> > 192.168.3.0/24 dev eth1  scope link
> > 127.0.0.0/8 dev lo  scope link
> >
> > your routing table is missing localhost, or did you <snip> it? check.
> >
> 
> I did snip out all but the routes that pertained to proxy_arp setup  :)
> 
> -- 
> Regards
> 
> Joseph Watson
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Proxy Arp question

[Martin A. Brown]

Hello all,

This is a correction to Christopher's post and a further explanation of
proxy ARP with reference to Don Cohen's excellent post [1] of earlier
today.

 : as far as i know, it would be difficult to tinker with proxy_arp, but
 : you could always turn off arp on the "public" interface with ifconfig.
 :
 : #ifconfig eth0 -arp

While this does indeed turn off ARP entirely on an interface, this also
prevents any ARP replies from an interface, including proxy ARP replies.

I haven't yet had the opportunity to digest all of Don Cohen's message of
earlier today, but my first reading of his post agreed with my
understanding of proxy ARP by the linux kernel.  I would make two
general notes of caution about using proxy ARP.

  - The interface on which the user is using proxy ARP must have ARP
    support.  Practically speaking, this means that if the NOARP flag*
    is visible in "ip link" or "ifconfig" output, proxy ARP will not
    work.
  - The router which is performing proxy ARP must have a route (for
    the IP address of the destination) which uses an interface other
    than the interface on which the router is performing proxy ARP.
    In other words, the kernel will not send an ARP reply on interface
    Y for IP address X if IP address X is reachable through interface
    Y.  Make sure your routing table is correct.  (This is not a problem
    for Joseph.) (Upon re-reading Don's post, he says the same thing
    more eloquently.)

 : this is a tactic employed by the linux virtual server project, and
 : *might* do what you want. couldn't test here because of some
 : particularities with my setup.

Because machines functioning as realservers in an LVS cluster often host
the same IP address on multiple machines, ARP suppression is required to
prevent uncontrolled ARP flux from defeating the benefits of load
balancing.  The complete suppression of ARP would break a network using
proxy ARP.

 : a shame that bridging doesn't allow netfiltering (iptables) control --
 : this would correspond most closely to your goal -- a transparent layer 2
 : bridge, with layer 3 filtering.

Bridging does allow packet filtering with netfilter.  You need to use the
br+nf patches to the kernel [2].  In fact, at the main bridging site, [3],
there are links to a number of documents, and Shawn Grimes has even
written an entire PDF about how to use packet filtering on a bridge [4].
Also, consult the bridge mailing list archives [5].

 : clearly, iptables rules on the INPUT and OUTPUT chains pursuant to the
 : firewall itself should minimize your risk

Christopher--you could be a bit clearer in expressing this answer.  I
think Don Cohen's answer to the question "can I use a different set of
addresses for managing the firewall" was more complete.  The firewall
could make use of RFC 1918 addresses and limit connections to these
address to a known set of hosts.  You are correct, though that INPUT and
OUTPUT chains would minimize risk to the firewall itself, whether bridging
or not.

Joseph--I have a question for you about how your shorewall box is
detecting when you move a host from one interface to another?  I have been
puzzling over ways to do this, and I believe I have stumbled on one, but I
was hoping you might have already solved this problem.  Naturally, the
shorewall box needs to know at all times the location of your roving host,
so autodetection of the location of the box might be handy.

-Martin

*  Here is an example of an ethernet interface with ARP functionality
   suppressed.  "ip link" and "ifconfig" output is shown for completeness.

# ip link show dev eth1
3: eth1: <BROADCAST,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:80:c8:e8:1e:fc brd ff:ff:ff:ff:ff:ff
# ifconfig  eth1
eth1      Link encap:Ethernet  HWaddr 00:80:C8:E8:1E:FC
          inet addr:10.10.20.89  Bcast:10.10.20.255  Mask:255.255.255.0
          UP BROADCAST RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:547 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7293 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:62174 (60.7 Kb)  TX bytes:399178 (389.8 Kb)
          Interrupt:12 Base address:0x6600

 [1]  http://mailman.ds9a.nl/pipermail/lartc/2003q2/008315.html
 [2]  http://bridge.sourceforge.net/devel/bridge-nf/
 [3]  http://bridge.sourceforge.net/docs.html
 [4]  http://bridge.sourceforge.net/docs/Firewalling%20for%20Free.pdf
 [5]  http://www.math.leidenuniv.nl/pipermail/

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Proxy Arp question

[Joseph Watson]

On Sunday May 4 2003 04:56 pm, Martin A. Brown wrote:
>
....snip....
>
> Joseph--I have a question for you about how your shorewall box is
> detecting when you move a host from one interface to another?  I have been
> puzzling over ways to do this, and I believe I have stumbled on one, but I
> was hoping you might have already solved this problem.  Naturally, the
> shorewall box needs to know at all times the location of your roving host,
> so autodetection of the location of the box might be handy.
>
> -Martin
>

I tell it what hosts are in the dmz  ....  it does not autodetect.  I just add 
the host to the shorewall config.

I have a question maybe you can help me with though:

Here is the working configuration of my testing firewall using proxy 
arp:

    192.168.1.0/24
              |
   eth0: 192.168.1.1
        Firewall
   eth1: 192.168.3.1
              |
      192.168.1.2

There are the following routes used by proxy-arp:
 192.168.1.2 dev eth1  scope link
 192.168.1.0/24 dev eth0  scope link

This moves host 192.168.1.2 from the public network to the dmz behind the 
firewall.  Where I am confused is when I check the proxy_arp settings:

[]# cat /proc/sys/net/ipv4/conf/eth0/proxy_arp
0
[]# cat /proc/sys/net/ipv4/conf/eth1/proxy_arp
1
[]#

Why is proxy_arp not turned on for eth0??  Every howto I can find says to turn 
on proxy_arp for both interfaces.

-- 
Regards

Joseph Watson
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Proxy Arp question

[Martin A. Brown]

 : > Joseph--I have a question for you about how your shorewall box is
 : > detecting when you move a host from one interface to another?  I have been
 : > puzzling over ways to do this, and I believe I have stumbled on one, but I
 : > was hoping you might have already solved this problem.  Naturally, the
 : > shorewall box needs to know at all times the location of your roving host,
 : > so autodetection of the location of the box might be handy.

 : I tell it what hosts are in the dmz ....  it does not autodetect.  I
 : just add the host to the shorewall config.

Right.  So, you make a manual change.  That answers my implied question.
I'm not sure why I assumed you had any autodection.

 : I have a question maybe you can help me with though:

I saw your question before, and I do not know how to explain this.  I
share your desire to understand why something works even though it appears
to be incomplete.

 : Here is the working configuration of my testing firewall using proxy
 : arp:
 :
 :     192.168.1.0/24
 :               |
 :    eth0: 192.168.1.1
 :         Firewall
 :    eth1: 192.168.3.1
 :               |
 :       192.168.1.2
 :
 : There are the following routes used by proxy-arp:
 :  192.168.1.2 dev eth1  scope link
 :  192.168.1.0/24 dev eth0  scope link
 :
 : This moves host 192.168.1.2 from the public network to the dmz behind the
 : firewall.  Where I am confused is when I check the proxy_arp settings:
 :
 : []# cat /proc/sys/net/ipv4/conf/eth0/proxy_arp
 : 0
 :
 : []# cat /proc/sys/net/ipv4/conf/eth1/proxy_arp
 : 1

First, this makes sense to me.  If any machine behind eth1 generates an
ARP request, and the firewall can reach the requested IP (directly), the
firewall will generate an ARP reply.  This is proxy ARP for eth1.  In your
case, this means that any host behind eth1 will think it is on the same
ethernet as the entire 192.168.1.0/24, when in fact, it is not.

This allows you to insert your packet filter between it and
192.168.1.0/24.

 : Why is proxy_arp not turned on for eth0??  Every howto I can find says
 : to turn on proxy_arp for both interfaces.

Well, I don't exactly know why your upstream router (available on eth0
with IP 192.168.1.x/24) thinks it can reach 192.168.1.2.  I would be
interested in knowing what the ARP cache entry for 192.168.1.2 looked
like in the upstream router.

The interesting part is the 0 in your net.ipv4.conf.eth0.proxy_arp.
Machines in 192.168.1.0/24 on eth0 should not be able to receive an answer
for the IP 192.168.1.2.  There is no problem at all with this aside from
the router.  The upstream router must have a link layer address to which
to forward ethernet frames with IP packets.

So, you'll need to

  - tell us what you see in the ARP cache on your router
  - test "arping -I $INTERFACE 192.168.1.2" from another host in
    192.168.1.0/24 on the eth0 side of firewall
  - perhaps "tcpdump -nn -i eth0 host 192.168.1.2 and arp" to see what
    sorts of ARP traffic is occurring in regard to 192.168.1.2

I don't have any speculation about why this continues to work for you.  I
can certainly understand why outbound packets/frames can successfully
pass the firewall and reach the world, but I do not understand how
machines on the eth0 side of your firewall are resolving a link layer
address for 192.168.1.2.

So, I don't have an explanation.  Can you get us one?

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Proxy Arp question

[Joseph Watson]

On Sunday May 4 2003 07:15 pm, Martin A. Brown wrote:
>
> I don't have any speculation about why this continues to work for you.  I
> can certainly understand why outbound packets/frames can successfully
> pass the firewall and reach the world, but I do not understand how
> machines on the eth0 side of your firewall are resolving a link layer
> address for 192.168.1.2.
>
> So, I don't have an explanation.  Can you get us one?
>
> -Martin

Here is a explanation from shorewalls author:

On Monday May 5 2003 07:51 pm, Tom Eastep wrote:
>
> From the 'setup_proxy_arp' function in Shorewall:
>
>       arp -Ds $address $external pub
>
>       echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp
>       echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp
>
> Note: $address   = the address of the system  $external  = the external
> interface
>       $interface = the internal interface
>
>
> In other words, I add a persistent ARP cache entry for the address on the
> external interface and I turn on the proxy_arp flag for the internal
> interface.
>
> Doing it that way prevents external hosts on the same subnet from being
> able to use ARP to probe the configuration of your internal network.
>
> -Tom

Clears it up well.

-- 
Regards

Joseph Watson
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/