From mboxrd@z Thu Jan 1 00:00:00 1970 From: Joseph Watson Date: Tue, 06 May 2003 00:15:44 +0000 Subject: Re: [LARTC] Proxy Arp question Message-Id: List-Id: References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org On Sunday May 4 2003 07:15 pm, Martin A. Brown wrote: > > I don't have any speculation about why this continues to work for you. I > can certainly understand why outbound packets/frames can successfully > pass the firewall and reach the world, but I do not understand how > machines on the eth0 side of your firewall are resolving a link layer > address for 192.168.1.2. > > So, I don't have an explanation. Can you get us one? > > -Martin Here is a explanation from shorewalls author: On Monday May 5 2003 07:51 pm, Tom Eastep wrote: > > From the 'setup_proxy_arp' function in Shorewall: > > arp -Ds $address $external pub > > echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp > echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp > > Note: $address = the address of the system $external = the external > interface > $interface = the internal interface > > > In other words, I add a persistent ARP cache entry for the address on the > external interface and I turn on the proxy_arp flag for the internal > interface. > > Doing it that way prevents external hosts on the same subnet from being > able to use ARP to probe the configuration of your internal network. > > -Tom Clears it up well. -- Regards Joseph Watson _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/