I have a problem with proxyarp. If I restart shorewall the arp -Ds command seems to put the arp entry onto my ipsec0 interface. upon initial starting of the box I have no problem this is what my arp looks like. ? (XXX.XXX.XXX.XXX) at * PERM PUP on eth2 when I restart this is what I get ? (XXX.XXX.XXX.XXX) at * PERM PUP on ipsec0 the command it issues in shorewall is arp -Ds XXX.XXX.XXX.XXX eth2 pub this seems to be the problem if I change it to arp -i eth2 -Ds XXX.XXX.XXX.XXX eth2 pub all seems to be ok. Any ideas what the issue may be? I am running Shorewall-1.4.7
On Tuesday 09 March 2004 09:19 pm, Sean wrote:> I have a problem with proxyarp. If I restart shorewall > the arp -Ds command seems to put the arp entry onto my ipsec0 > interface. > > upon initial starting of the box I have no problem this > is what my arp looks like. > > ? (XXX.XXX.XXX.XXX) at * PERM PUP on eth2 > > when I restart this is what I get > > ? (XXX.XXX.XXX.XXX) at * PERM PUP on ipsec0 > > the command it issues in shorewall is > > arp -Ds XXX.XXX.XXX.XXX eth2 pub > > this seems to be the problem if I change > it to > > arp -i eth2 -Ds XXX.XXX.XXX.XXX eth2 pub > > all seems to be ok. > > Any ideas what the issue may be? >This issue is discussed in the second Warning on the Shorewall IPSEC page (http://www.shorewall.net/IPSEC.htm). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Now I understand. On my old firewall setup I had modified init and start. On this one I was testing I had not. In your WARNING you mentioned you had not found the problem nor had time. As I have found a solution that does not require modification of init or start would you consider using my fix? Just add the -i $external to the run_arp call. [ -z "$haveroute" ] && run_ip route replace $address dev $interface run_arp -i $external -Ds $address $external pub echo 1 > /proc/sys/net/ipv4/conf $interface/proxy_arp Regards Sean Mathews ---------- Original Message ---------------------------------- From: Tom Eastep <teastep@shorewall.net> Date: Wed, 10 Mar 2004 06:36:27 -0800>On Tuesday 09 March 2004 09:19 pm, Sean wrote: >> I have a problem with proxyarp. If I restart shorewall >> the arp -Ds command seems to put the arp entry onto my ipsec0 >> interface. >> >> upon initial starting of the box I have no problem this >> is what my arp looks like. >> >> ? (XXX.XXX.XXX.XXX) at * PERM PUP on eth2 >> >> when I restart this is what I get >> >> ? (XXX.XXX.XXX.XXX) at * PERM PUP on ipsec0 >> >> the command it issues in shorewall is >> >> arp -Ds XXX.XXX.XXX.XXX eth2 pub >> >> this seems to be the problem if I change >> it to >> >> arp -i eth2 -Ds XXX.XXX.XXX.XXX eth2 pub >> >> all seems to be ok. >> >> Any ideas what the issue may be? >> > >This issue is discussed in the second Warning on the Shorewall IPSEC page >(http://www.shorewall.net/IPSEC.htm). > >-Tom >-- >Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net > > >
none) <"@shorewall.net, "teastep\""@shorewall.net (none
2004-Mar-20 15:01 UTC
Re: proxyarp problem.
Sean wrote:> Now I understand. On my old firewall setup I had > modified init and start. On this one I was testing > I had not. In your WARNING you mentioned you had > not found the problem nor had time. As I have found > a solution that does not require modification of init > or start would you consider using my fix? > > Just add the -i $external to the run_arp call. > > [ -z "$haveroute" ] && run_ip route replace $address dev $interface > run_arp -i $external -Ds $address $external pub > echo 1 > /proc/sys/net/ipv4/conf $interface/proxy_arp >Thanks, Sean -- I''ll add your fix to 2.0.1. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
> "@(none) <"@shorewall.net wrote:Sorry for the corrupted ''From'' address -- reconfigured my mailer this morning. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net