From: Joseph Watson <jtwatson@datakota.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Proxy Arp question
Date: Tue, 06 May 2003 00:15:44 +0000 [thread overview]
Message-ID: <marc-lartc-105218020510300@msgid-missing> (raw)
In-Reply-To: <marc-lartc-105184920302860@msgid-missing>
On Sunday May 4 2003 07:15 pm, Martin A. Brown wrote:
>
> I don't have any speculation about why this continues to work for you. I
> can certainly understand why outbound packets/frames can successfully
> pass the firewall and reach the world, but I do not understand how
> machines on the eth0 side of your firewall are resolving a link layer
> address for 192.168.1.2.
>
> So, I don't have an explanation. Can you get us one?
>
> -Martin
Here is a explanation from shorewalls author:
On Monday May 5 2003 07:51 pm, Tom Eastep wrote:
>
> From the 'setup_proxy_arp' function in Shorewall:
>
> arp -Ds $address $external pub
>
> echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp
> echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp
>
> Note: $address = the address of the system $external = the external
> interface
> $interface = the internal interface
>
>
> In other words, I add a persistent ARP cache entry for the address on the
> external interface and I turn on the proxy_arp flag for the internal
> interface.
>
> Doing it that way prevents external hosts on the same subnet from being
> able to use ARP to probe the configuration of your internal network.
>
> -Tom
Clears it up well.
--
Regards
Joseph Watson
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
prev parent reply other threads:[~2003-05-06 0:15 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-05-02 4:18 [LARTC] Proxy Arp question Joseph Watson
2003-05-02 7:31 ` christopher cuse
2003-05-03 5:02 ` Joseph Watson
2003-05-03 7:35 ` christopher cuse
2003-05-03 15:27 ` Joseph Watson
2003-05-04 18:53 ` Don Cohen
2003-05-04 19:41 ` christopher cuse
2003-05-04 20:56 ` Martin A. Brown
2003-05-04 22:53 ` Joseph Watson
2003-05-04 23:15 ` Martin A. Brown
2003-05-06 0:15 ` Joseph Watson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-105218020510300@msgid-missing \
--to=jtwatson@datakota.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.