transparent firewall (proxy arp?)
Oliver Meyn
lists-tZhE6lH4Esk+k03BA+Hq9g at public.gmane.org
Fri Feb 6 22:33:25 UTC 2004
Hi Mark,
On Fri, 2004-02-06 at 16:32, Mark Wadden wrote:
> I had no idea where to start so I originally looked into some Linux
> bridging docs. Then I came across this Proxy Arp how-to, which
> essentially describes my exact scenario
> (http://www.sjdjweis.com/linux/proxyarp/). As promising as this article
> sounds, I couldn't get it to work.
>
I think I understand what you're trying to do, and I'm doing it using
the proxy arping abilities of shorewall (shoreline firewall).
> I set up a RedHat 9 box as per the instructions in the how-to. But when
> I hooked everything up (and rebooted the router and switch to clear out
> any arp tables) it wouldn't route any packets through. From the Proxy
> Arp machine I could ping both sides (router and DMZ) but I couldn't get
> anything to go THROUGH the machine. At one point I was able to ping
> from the DMZ side to the router, but nothing else was going through.
> Another strange thing is that I tried a tcpdump on the Proxy Arp box and
> it was only picking up a few packets here and there (even though there
> was a lot of stuff trying to get through).
>
The big issue most people have when setting this up (according to the
shorewall list archive) is arp caching upstream of you screwing things
up. It doesn't sound like that's your problem, but it might be.
> So, at this point I'm really stuck. I should also mention that I don't
> have enough hardware to setup a test network first, so every time I try
> to "test" a change I've made I have to put this machine onto the live
> network (essentially screwing up all traffic in and out of the
> company... not a good thing since we provide hosting services for
> clients).
>
You _really_ want a test setup because no way is this going to work
"just like that". Two machines and a spare ip should do it...
Cheers,
Oliver
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list