transparent firewall (proxy arp?)
Jason Shein
jason-gaRZxGPHtpBxZtjKW1aY+1aTQe2KTcn/ at public.gmane.org
Fri Feb 6 22:25:49 UTC 2004
http://www.ipcop.org
works like a charm.
Mark Wadden wrote:
> Greetings all,
>
> I'm hoping someone can help me with a networking issue.
>
> I'm trying to set up what I would call a "transparent firewall".
> Basically, I want to stick a machine running iptables between my
> ISP-supplied router and the switch, without having it masquarade the IPs
> of the machines it's protecting.
>
> I had no idea where to start so I originally looked into some Linux
> bridging docs. Then I came across this Proxy Arp how-to, which
> essentially describes my exact scenario
> (http://www.sjdjweis.com/linux/proxyarp/). As promising as this article
> sounds, I couldn't get it to work.
>
> I set up a RedHat 9 box as per the instructions in the how-to. But when
> I hooked everything up (and rebooted the router and switch to clear out
> any arp tables) it wouldn't route any packets through. From the Proxy
> Arp machine I could ping both sides (router and DMZ) but I couldn't get
> anything to go THROUGH the machine. At one point I was able to ping
> from the DMZ side to the router, but nothing else was going through.
> Another strange thing is that I tried a tcpdump on the Proxy Arp box and
> it was only picking up a few packets here and there (even though there
> was a lot of stuff trying to get through).
>
> So, at this point I'm really stuck. I should also mention that I don't
> have enough hardware to setup a test network first, so every time I try
> to "test" a change I've made I have to put this machine onto the live
> network (essentially screwing up all traffic in and out of the
> company... not a good thing since we provide hosting services for
> clients).
>
> I'd appreciate any commentary anyone may have on this issue. I'm also
> completely open to different approaches if this one has some obvious
> flaws. I'm just trying to avoid IP masquarading since that's what I
> have now and it's causing a lot of DNS headaches (maybe I should just
> fix the dns problems instead...).
>
>
> thanks,
>
>
> -mark
>
>
> --
> The Toronto Linux Users Group. Meetings: http://tlug.ss.org
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
>
--
" Eventually people tire of repairing broken Windows,
And decide to replace them with something stronger"
(o_
//\ Linux - The Choice Of A GNU Generation
V_/_ Jason Shein
Linux Registered User #281100
jason-gaRZxGPHtpBxZtjKW1aY+1aTQe2KTcn/@public.gmane.org
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list