Hello, I''m a new user of shorewall and I have a question with regards to the proxyarp feature. I recently received a block of IP addresses which I would like to assign to internal servers. Here is a picture of my current setup. ISP Gateway (66.7.139.1) | | | Firewall (66.7.139.2) | | | Internal network (192.168.0.0/24) Now, I received the following block of addresses: 66.54.229.104/29. Since I only have six ip addresses I would rather not use one on the firewall and install a third network card to subnet my network. Someone suggested ProxyARP might do the trick. I tried it and have made some progress. Here is my setup after creating defining a proxy arp route(?) in the proxyarp config file. ISP Gateway (66.7.139.1) | | | Firewall External IP(66.7.139.2) Internal IP(192.168.0.2) | | | | | | 66.54.229.106 192.168.0.0/24 GW=66.7.139.1 GW=192.168.0.2 Once I do this and restart shorewall, I can ping the .106 address from the server but that''s it. I can''t get to the .106 machine from the outside, all connections to address 66.54.229.106 connect me to the firewall. In addition, the .106 machine can''t get to the firewall. I can understand what to do if I only have the a single block of ip addresses, I''m having a tough time getting my head around dealing with both the /29 block and the /30 block. It seems that the easiest thing to do is to replace my external IP with and address from my new /29 block. However, I''m not sure how I can get to the 66.7.139.1 gateway. It seem that doing that just moves my problem further up the chain of machines. Any ideas on the best way to proceed? If I sound like a buffoon feel free to flame away. Regards, Joe Cotellese
On Mon, 2003-09-22 at 09:35, Joe Cotellese wrote:> Hello, > > I''m a new user of shorewall and I have a question with regards to the > proxyarp feature. > > I recently received a block of IP addresses which I would like to assign > to internal servers. Here is a picture of my current setup. > > ISP Gateway (66.7.139.1) > | > | > | > Firewall (66.7.139.2) > | > | > | > Internal network (192.168.0.0/24) > > > Now, I received the following block of addresses: 66.54.229.104/29.Is your ISP routing 66.54.229.104/29 through 66.7.139.2? If so, you cannot use Proxy ARP. -Tom -- Nothing is foolproof to a sufficiently talented fool
On Mon, 2003-09-22 at 09:38, Tom Eastep wrote:> On Mon, 2003-09-22 at 09:35, Joe Cotellese wrote: > > Hello, > > > > I''m a new user of shorewall and I have a question with regards to the > > proxyarp feature. > > > > I recently received a block of IP addresses which I would like to assign > > to internal servers. Here is a picture of my current setup. > > > > ISP Gateway (66.7.139.1) > > | > > | > > | > > Firewall (66.7.139.2) > > | > > | > > | > > Internal network (192.168.0.0/24) > > > > > > Now, I received the following block of addresses: 66.54.229.104/29. > > Is your ISP routing 66.54.229.104/29 through 66.7.139.2? If so, you > cannot use Proxy ARP. >If your ISP *is* routing as I suggest above, you can still try the following: On each of the systems in 66.54.229.104/29: a) Add a host route to 66.7.139.2 (ip route add 66.7.139.2 dev <interface>) b) Set the default gateway to 66.7.139.2 On Windoze systems, if you set the default gateway the route will be added automatically; IIRC, the same is true for some Linux Network config GUIs. On the firewall, add a net route to 66.54.229.104: ip route add 66.54.229.104/29 dev eth0 -Tom -- Nothing is foolproof to a sufficiently talented fool
why is proxyarp better than a DNAT/SNAT to a DMZ in this situation? Is it more safe? cheers, Duda Tom Eastep <teastep@shorewall.net> Sent by: shorewall-users-bounces+duda=icatu.com.br@lists.shorewall.net 22/09/2003 15:19 Please respond to Shorewall Users Mailing List <shorewall-users@lists.shorewall.net> To Shorewall Users Mailing List <shorewall-users@lists.shorewall.net> cc Subject Re: [Shorewall-users] ProxyARP questions On Mon, 2003-09-22 at 09:38, Tom Eastep wrote:> On Mon, 2003-09-22 at 09:35, Joe Cotellese wrote: > > Hello, > > > > I''m a new user of shorewall and I have a question with regards to the > > proxyarp feature. > > > > I recently received a block of IP addresses which I would like toassign> > to internal servers. Here is a picture of my current setup. > > > > ISP Gateway (66.7.139.1) > > | > > | > > | > > Firewall (66.7.139.2) > > | > > | > > | > > Internal network (192.168.0.0/24) > > > > > > Now, I received the following block of addresses: 66.54.229.104/29. > > Is your ISP routing 66.54.229.104/29 through 66.7.139.2? If so, you > cannot use Proxy ARP. >If your ISP *is* routing as I suggest above, you can still try the following: On each of the systems in 66.54.229.104/29: a) Add a host route to 66.7.139.2 (ip route add 66.7.139.2 dev <interface>) b) Set the default gateway to 66.7.139.2 On Windoze systems, if you set the default gateway the route will be added automatically; IIRC, the same is true for some Linux Network config GUIs. On the firewall, add a net route to 66.54.229.104: ip route add 66.54.229.104/29 dev eth0 -Tom -- Nothing is foolproof to a sufficiently talented fool _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Mon, 2003-09-22 at 15:08, Eduardo Ferreira wrote:> why is proxyarp better than a DNAT/SNAT to a DMZ in this situation? Is it > more safe? >a) You don''t have to worry about NAT-sensitive applications. b) You don''t need separate DNS for internal and external clients. -Tom -- Nothing is foolproof to a sufficiently talented fool
Hello, Proxy arp "virtually" moves the server from one interface (usually dmz) of the firewall to another (usually the net) interface. This allows the world to see your server (ip address) as if it was directly on the other (net) interface, while really forwarding packets through the firewall, thus allowing all the controls the firewall can provide. This is done by Proxying Adress Resolution Protocol chatter. When resolving an ip adress to an actual ethernet device, ARP is used to find the mac address of the machine for packet delivery (layer 2 of the osi model). ARP traffic by design does not extend beyond the broadcast domain of a network segment. By Proxying ARP, you can in effect extend the range of ARP traffic through interfaces, allowing in this case intermediate transparent packet filtering. As Tom mentioned, all (I am pretty sure?..) routing issues, port forwarding issues, and addressing issues dissappear (in terms of having a firewalled, public server), as the configuration issues (routing, etc) are handled transparently by the firewall. I have been using the three interface setup using a DMZ and proxyarp flawlessly for couple years now. Of course this is not the only application for proxy arp related to shorewall, just the example I use for this little monologue. http://www.shorewall.net/three-interface.htm http://www.shorewall.net/ProxyARP.htm (Comments anyone, does this all sound accurate? clear?) Cheers, Alex Martin http://www.rettc.com ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Shorewall Users Mailing List" <shorewall-users@lists.shorewall.net> Sent: Monday, September 22, 2003 4:15 PM Subject: Re: [Shorewall-users] ProxyARP questions On Mon, 2003-09-22 at 15:08, Eduardo Ferreira wrote:> why is proxyarp better than a DNAT/SNAT to a DMZ in this situation? Is it > more safe? >a) You don''t have to worry about NAT-sensitive applications. b) You don''t need separate DNS for internal and external clients. -Tom -- Nothing is foolproof to a sufficiently talented fool _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Mon, 22 Sep 2003, Alex Martin wrote:> > I have been using the three interface setup using a DMZ and proxyarp > flawlessly for couple years now. Of course this is not the only application > for proxy arp related to shorewall, just the example I use for this little > monologue. > > http://www.shorewall.net/three-interface.htm > > http://www.shorewall.net/ProxyARP.htm > > (Comments anyone, does this all sound accurate? clear?) >I would substitute http://www.shorewall.net/shorewall_setup_guide.htm for the three-interface guide; it covers ProxyARP used in a three-interface setup. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Thanks for all the answers. As we say here, "Living and Learning".
But now, I don''t know how, in my implementation, I could use a
proxy-arp.
Let me try a little ascii art:
- ISP1 - ROUTER1 - eth0.FIREWALL1.eth1 -
INTERNET SERVERS (running w32, SORRY) -
eth0.INTERNAL FIREWALL.eth1 - LOCAL NET
- ISP2 - ROUTER2 - eth0.FIREWALL2.eth1 -
as you can see, a very uncommon implementation - due to a lack of
knowledge of my part, may be. The w32 servers each have two net cards.
Each card has a different address and has a different default gateway
(Firewall1 or Firewall2). Each gateway does NAT for the net card that has
itself as Default Gateway. The external firewalls run BIND for my public
domains. Each w32 server has two public addresses, one for each external
firewall. This is the only way I could think to make the w32 servers
answer both public addresses - you know, I like better study linux than
windows ;-). Any way, I?ve achieved the redundance I would like to have.
Worst Problem:
- In this setup, my local net cannot reach the w32 servers using the
public addresses given by the external servers. I had to put a third BIND
in my local net to resolve the addresses (I don''t like bind zones);
Doubt:
- using proxy-arp, could I:
- proxy-arp each net card in the w32 servers to their respective
default gateways?
- proxy-arp the servers to the internal firewall so that the local
net uses their public address to reach them?
TIA and sorry for the long post,
Duda
shorewall-users-bounces@lists.shorewall.net wrote on 22/09/2003 22:10:00:
> On Mon, 22 Sep 2003, Alex Martin wrote:
>
> >
> > I have been using the three interface setup using a DMZ and proxyarp
> > flawlessly for couple years now. Of course this is not the only
application> > for proxy arp related to shorewall, just the example I use for this
little> > monologue.
> >
> > http://www.shorewall.net/three-interface.htm
> >
> > http://www.shorewall.net/ProxyARP.htm
> >
> > (Comments anyone, does this all sound accurate? clear?)
> >
>
> I would substitute http://www.shorewall.net/shorewall_setup_guide.htm
for> the three-interface guide; it covers ProxyARP used in a three-interface
> setup.
>
> -Tom
> --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: https://lists.shorewall.
> net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
On Tue, 2003-09-23 at 07:05, Eduardo Ferreira wrote:> Thanks for all the answers. As we say here, "Living and Learning". > > But now, I don''t know how, in my implementation, I could use a proxy-arp. > Let me try a little ascii art: > > - ISP1 - ROUTER1 - eth0.FIREWALL1.eth1 - > INTERNET SERVERS (running w32, SORRY) - > eth0.INTERNAL FIREWALL.eth1 - LOCAL NET > - ISP2 - ROUTER2 - eth0.FIREWALL2.eth1 - > > > as you can see, a very uncommon implementationAnd not readable because your mailer folded the ASCII art. -Tom -- Nothing is foolproof to a sufficiently talented fool