[LARTC] shared_media

[LARTC] shared_media

[Marco Berizzi]

Hello everybody.

I have a problem with my firewall rules on my Slackware Linux box 9.0
(kernel 2.4.20-xfs).
This system is configured with 3 NIC (one for the router, one for the
dmz, and the other for the private net).
I have written a firewall (iptables) that is processing packet based
also on the incoming interface.
This firewall is connected in a not good environment where all the NIC
(and the router) are connected to the same switch (don't ask me why).
Here is the problem: an incoming packet from the private net sometimes
is catched by the priv NIC, sometimes is catched by the DMZ nic and
sometimes is catched by router NIC. This happens (I think) because when
a client (windoze) sends an arp request with the priv NIC IP, linux
replies with the MAC address from any of the 3 NIC and not only with the
MAC from the priv NIC.

Is there any setting in /proc to prevent this? shared_media perhaps?

TIA

PS: Please cc me. I'm not receiving messages from this list.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] shared_media

[Varun Varma]

Dear Marco,

Linux, in the 2.4 kernels, has this default behaviour. The ARP reply for 
an IP goes from any interface on the system, not just the one on which 
the IP is configured.

You can change this behaviour by setting:

/proc/sys/net/ipv4/conf/all/arp_filter = 1

Or, if you want to control this for just one interface:

/proc/sys/net/ipv4/conf/interface name e.g. eth0/arp_filter = 1

As an aside, I would also recommed setting up different VLANs, if your 
switch support them. That way you can get different "logical" switches.

Regards,
-Varun

Marco Berizzi wrote:
> Hello everybody.
> 
> I have a problem with my firewall rules on my Slackware Linux box 9.0
> (kernel 2.4.20-xfs).
> This system is configured with 3 NIC (one for the router, one for the
> dmz, and the other for the private net).
> I have written a firewall (iptables) that is processing packet based
> also on the incoming interface.
> This firewall is connected in a not good environment where all the NIC
> (and the router) are connected to the same switch (don't ask me why).
> Here is the problem: an incoming packet from the private net sometimes
> is catched by the priv NIC, sometimes is catched by the DMZ nic and
> sometimes is catched by router NIC. This happens (I think) because when
> a client (windoze) sends an arp request with the priv NIC IP, linux
> replies with the MAC address from any of the 3 NIC and not only with the
> MAC from the priv NIC.
> 
> Is there any setting in /proc to prevent this? shared_media perhaps?
> 
> TIA
> 
> PS: Please cc me. I'm not receiving messages from this list.
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] shared_media

[Marco Berizzi]

Hi Varun,

Thanks a lot for the reply. That's what I was looking for.

----- Original Message ----- 
From: "Varun Varma" <varun@mindsw.com>
To: "Marco Berizzi" <pupilla@hotmail.com>
Cc: <lartc@mailman.ds9a.nl>
Sent: Monday, May 12, 2003 1:10 PM
Subject: Re: [LARTC] shared_media


> Dear Marco,
>
> Linux, in the 2.4 kernels, has this default behaviour. The ARP reply
for
> an IP goes from any interface on the system, not just the one on which
> the IP is configured.
>
> You can change this behaviour by setting:
>
> /proc/sys/net/ipv4/conf/all/arp_filter = 1
>
> Or, if you want to control this for just one interface:
>
> /proc/sys/net/ipv4/conf/interface name e.g. eth0/arp_filter = 1
>
> As an aside, I would also recommed setting up different VLANs, if your
> switch support them. That way you can get different "logical"
switches.
>
> Regards,
> -Varun
>
> Marco Berizzi wrote:
> > Hello everybody.
> >
> > I have a problem with my firewall rules on my Slackware Linux box
9.0
> > (kernel 2.4.20-xfs).
> > This system is configured with 3 NIC (one for the router, one for
the
> > dmz, and the other for the private net).
> > I have written a firewall (iptables) that is processing packet based
> > also on the incoming interface.
> > This firewall is connected in a not good environment where all the
NIC
> > (and the router) are connected to the same switch (don't ask me
why).
> > Here is the problem: an incoming packet from the private net
sometimes
> > is catched by the priv NIC, sometimes is catched by the DMZ nic and
> > sometimes is catched by router NIC. This happens (I think) because
when
> > a client (windoze) sends an arp request with the priv NIC IP, linux
> > replies with the MAC address from any of the 3 NIC and not only with
the
> > MAC from the priv NIC.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/