Shorewall users - Mar 2002 - ProxyARP

Hi Everyone,

Speaking of ProxyArp, I have a question\problem. Below is a basic design of
a network that we are currently managing. Right now we have a ACL that is
controlled by the ISP on the Cisco 1700 and then it is connected to the
Cisco switches. We would like to put in place a Redhat\Shorewall Firewall
between the router and switches as shown below. We have to use real
IP''s on
all device on the network because of the different network that is on switch
4. (they only allow certain IP''s to access their network.)

First Question: Should the external ip (eth0) of the firewall be
xxx.xxx.xxx.2?

Second Question: Do I have to list all ip''s (include the
switch''s ip''s) in
the proxyarp file for this to work properly? The Cisco 1700 Router is the
primary controlling router and will I have a problem with ARP Cache''s
on the
router\switches?

Third Question: Will I have to change the gateway on all devices to the
firewall''s external ip?

Any help on this would be greatly appreciated.

Mike


  /^^^^^^^^^^^\
 |  internet  |
  \           /
  
        |<-T1
+-------|---------------+
|   Cisco 1700 Router   |
|    xxx.xxx.xxx.1/24   |
+-------|---------------+
        |
+-------|- ----------------+
|    eth0:0 (xxx.xxx.xxx.7)|---eth0->local network xxx.xxx.xxx.7
|    eth1:1                |
|    eth2:2                |---eth1->local network 192.168.1.1/24
|  Redhat  7.2             |
| Shorewall 1.2.6          |---eth2->DMZ 192.168.2.1/24
|                          |
+--------------------------+
        | 
        |       
+-------|----------------+
|   cisco 5500 switch    |
| IP:xxx.xxx.xxx.2       |
+-------|----------------+      
        |       
+-------|----------------+
|   cisco 5500 switch    |
| IP:xxx.xxx.xxx.3       |
+-------|----------------+
        | 
        |       
+-------|----------------+		       +----------------------+
|   cisco 5500 switch    |---------------------|   cisco 2600 router  |
| IP:xxx.xxx.xxx.4       |		       |    xxx.xxx.xxx.19    |
|			 |    	               |                      |
+-------|----------------+		       +----------------------+
        ^					           ^
        | 						   |
        |      						   |
All IP''s on the same subnet			    Different Network

Mike,

I just finished using Shorewall to filter a divided subnet of  "real"
IP
addresses, so I can give you a bit of assistance.  Give me a few hours to
get landed from a busy day, and I''ll get you some detailed responses.

Dan
----- Original Message -----
From: "Michael Martinez" <Michael.Martinez@saconsultants.net>
To: <shorewall-users@shorewall.net>
Sent: Monday, March 18, 2002 3:46 PM
Subject: [Shorewall-users] ProxyARP

> Hi Everyone,
>
> Speaking of ProxyArp, I have a question\problem. Below is a basic design
of
> a network that we are currently managing. Right now we have a ACL that is
> controlled by the ISP on the Cisco 1700 and then it is connected to the
> Cisco switches. We would like to put in place a Redhat\Shorewall Firewall
> between the router and switches as shown below. We have to use real
IP''s
on
> all device on the network because of the different network that is on
switch
> 4. (they only allow certain IP''s to access their network.)
>
> First Question: Should the external ip (eth0) of the firewall be
> xxx.xxx.xxx.2?
>
> Second Question: Do I have to list all ip''s (include the
switch''s ip''s) in
> the proxyarp file for this to work properly? The Cisco 1700 Router is the
> primary controlling router and will I have a problem with ARP
Cache''s on
the
> router\switches?
>
> Third Question: Will I have to change the gateway on all devices to the
> firewall''s external ip?
>
> Any help on this would be greatly appreciated.
>
> Mike
>
>
>   /^^^^^^^^^^^\
>  |  internet  |
>   \           /
>
>         |<-T1
> +-------|---------------+
> |   Cisco 1700 Router   |
> |    xxx.xxx.xxx.1/24   |
> +-------|---------------+
>         |
> +-------|- ----------------+
> |    eth0:0 (xxx.xxx.xxx.7)|---eth0->local network xxx.xxx.xxx.7
> |    eth1:1                |
> |    eth2:2                |---eth1->local network 192.168.1.1/24
> |  Redhat  7.2             |
> | Shorewall 1.2.6          |---eth2->DMZ 192.168.2.1/24
> |                          |
> +--------------------------+
>         |
>         |
> +-------|----------------+
> |   cisco 5500 switch    |
> | IP:xxx.xxx.xxx.2       |
> +-------|----------------+
>         |
> +-------|----------------+
> |   cisco 5500 switch    |
> | IP:xxx.xxx.xxx.3       |
> +-------|----------------+
>         |
>         |
> +-------|----------------+        +----------------------+
> |   cisco 5500 switch    |---------------------|   cisco 2600 router  |
> | IP:xxx.xxx.xxx.4       |        |    xxx.xxx.xxx.19    |
> | |                   |                      |
> +-------|----------------+        +----------------------+
>         ^            ^
>         |    |
>         |         |
> All IP''s on the same subnet     Different Network
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>

Michael,
> First Question: Should the external ip (eth0) of the firewall be
> xxx.xxx.xxx.2?
Yes -- this will simplify your configuration.  It will allow your
configuration to simply say "All them hosts are thataway, and that there
gateway is thataway."  You then need to enter a static host route via eth0
to the Cisco 1700 at  xxx.xxx.xxx.1/24 --- or it won''t be clear which
physical interface the exit door really is.  Answering "No" in the
HAVEROUTE
column of your proxyarp config file will cause Shorewall to create
individual host routes via eth1 for every entry it contains -- that takes
care of the routing for all of your protected hosts.
> Second Question: Do I have to list all ip''s (include the
switch''s ip''s) in
> the proxyarp file for this to work properly?
Yes.  For all hosts behind the Shorewall box, you will need the IP
explicitly listed in the proxyarp file --- cumbersome, but necessary.  To
create my very long list of host entries, I used MS Excel --- listed the
first two addresses, selected them, and "dragged" the handle down
until it
had created all the necessary entries.  Then moved over and typed
"eth1" and
"eth0" respectively, and did the drag and copy deal for all of them. 
I used
"No" in HAVEROUTE,   and duplicated those entries in the same fashion.
Saved the file to text, copied it to the Shorewall box, and ran '' tr -d
''\r''
< excelfile.txt > proxyarp'' to scrape the Windows funk out of the
file, and
I had the config in 5 minutes flat.  No sweat.
>The Cisco 1700 Router is the
> primary controlling router and will I have a problem with ARP
Cache''s on
the
> router\switches?
The potential for problems at first initiliazation is high.  But, provided
you have control over all of the devices with involved ARP caches, you can
either flush them or power cycle them to clear everything.  If you have a
switch or router that is that is out of your control, you will have to wait
until its ARP cache entries expire before you will know if your config
succeeded.  This can be frustrating, because it can make it appear
you''ve
done something wrong when you haven''t.  My standard practice in these
situations is to just power cycle everything, and initialize them in a
closely staggered power-on.

> Third Question: Will I have to change the gateway on all devices to the
> firewall''s external ip?
Not if they all currently use xxx.xxx.xxx.1/24.  In actuality, you can use
either the external IP address of the shorewall box, or the IP of the
xxx.xxx.xxx.1/24 gateway for the default gw.  I left the clients using the
IP of the router, to avoid the effort of changing them all for no good
reason. :)  That''s the beauty of the "proxy" part of proxy
arp ;)

Buena suerte,

Dan

> Any help on this would be greatly appreciated.
>
> Mike
>
>
>   /^^^^^^^^^^^\
>  |  internet  |
>   \           /
>
>         |<-T1
> +-------|---------------+
> |   Cisco 1700 Router   |
> |    xxx.xxx.xxx.1/24   |
> +-------|---------------+
>         |
> +-------|- ----------------+
> |    eth0:0 (xxx.xxx.xxx.7)|---eth0->local network xxx.xxx.xxx.7
> |    eth1:1                |
> |    eth2:2                |---eth1->local network 192.168.1.1/24
> |  Redhat  7.2             |
> | Shorewall 1.2.6          |---eth2->DMZ 192.168.2.1/24
> |                          |
> +--------------------------+
>         |
>         |
> +-------|----------------+
> |   cisco 5500 switch    |
> | IP:xxx.xxx.xxx.2       |
> +-------|----------------+
>         |
> +-------|----------------+
> |   cisco 5500 switch    |
> | IP:xxx.xxx.xxx.3       |
> +-------|----------------+
>         |
>         |
> +-------|----------------+        +----------------------+
> |   cisco 5500 switch    |---------------------|   cisco 2600 router  |
> | IP:xxx.xxx.xxx.4       |        |    xxx.xxx.xxx.19    |
> | |                   |                      |
> +-------|----------------+        +----------------------+
>         ^            ^
>         |    |
>         |         |
> All IP''s on the same subnet     Different Network
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>

Dan,

Thank you for a very clear explanation of how I need to set this up. I
really appreciate it. I wish I would of asked this sooner. I used vi to put
all the ip''s (254 lines) in the proxyarp config file a couple of weeks
ago
:-(.    Excel and\or Word would of been much easier. 

I turned on Shorewall last Friday night to test it live and didn''t
flush the
routers and switches and thought I shorewall configured wrong. 

One question that I''m not sure about.....

You indicated this... "You then need to enter a static host route via eth0
to the Cisco 1700 at  xxx.xxx.xxx.1/24"

What file do I do this in and can you give me an example of the entry?

Tom,

Thank you for great firewall\product. This is the exact reason why I choose
Shorewall. I tried several firewalls (Smoothwall, Mandrake''s SNF,
securepoint, to name a few) and none of them offer Proxyarp. This is by far
one the best firewalls available (even better than some of the commercial
products.) Thank you for all the hard work that you put into this product
and the documentation.

Mike   

-----Original Message-----
From: dgilleece
To: Michael Martinez; shorewall-users@shorewall.net
Sent: 3/18/02 9:51 PM
Subject: Re: [Shorewall-users] ProxyARP

Michael,
> First Question: Should the external ip (eth0) of the firewall be
> xxx.xxx.xxx.2?
Yes -- this will simplify your configuration.  It will allow your
configuration to simply say "All them hosts are thataway, and that there
gateway is thataway."  You then need to enter a static host route via
eth0
to the Cisco 1700 at  xxx.xxx.xxx.1/24 --- or it won''t be clear which
physical interface the exit door really is.  Answering "No" in the
HAVEROUTE
column of your proxyarp config file will cause Shorewall to create
individual host routes via eth1 for every entry it contains -- that
takes
care of the routing for all of your protected hosts.
> Second Question: Do I have to list all ip''s (include the
switch''s
ip''s) in
> the proxyarp file for this to work properly?
Yes.  For all hosts behind the Shorewall box, you will need the IP
explicitly listed in the proxyarp file --- cumbersome, but necessary.
To
create my very long list of host entries, I used MS Excel --- listed the
first two addresses, selected them, and "dragged" the handle down
until
it
had created all the necessary entries.  Then moved over and typed
"eth1"
and
"eth0" respectively, and did the drag and copy deal for all of them. 
I
used
"No" in HAVEROUTE,   and duplicated those entries in the same fashion.
Saved the file to text, copied it to the Shorewall box, and ran '' tr -d
''\r''
< excelfile.txt > proxyarp'' to scrape the Windows funk out of the
file,
and
I had the config in 5 minutes flat.  No sweat.
>The Cisco 1700 Router is the
> primary controlling router and will I have a problem with ARP
Cache''s
on
the
> router\switches?
The potential for problems at first initiliazation is high.  But,
provided
you have control over all of the devices with involved ARP caches, you
can
either flush them or power cycle them to clear everything.  If you have
a
switch or router that is that is out of your control, you will have to
wait
until its ARP cache entries expire before you will know if your config
succeeded.  This can be frustrating, because it can make it appear
you''ve
done something wrong when you haven''t.  My standard practice in these
situations is to just power cycle everything, and initialize them in a
closely staggered power-on.

> Third Question: Will I have to change the gateway on all devices to
the
> firewall''s external ip?
Not if they all currently use xxx.xxx.xxx.1/24.  In actuality, you can
use
either the external IP address of the shorewall box, or the IP of the
xxx.xxx.xxx.1/24 gateway for the default gw.  I left the clients using
the
IP of the router, to avoid the effort of changing them all for no good
reason. :)  That''s the beauty of the "proxy" part of proxy
arp ;)

Buena suerte,

Dan

> Any help on this would be greatly appreciated.
>
> Mike
>
>
>   /^^^^^^^^^^^\
>  |  internet  |
>   \           /
>
>         |<-T1
> +-------|---------------+
> |   Cisco 1700 Router   |
> |    xxx.xxx.xxx.1/24   |
> +-------|---------------+
>         |
> +-------|- ----------------+
> |    eth0:0 (xxx.xxx.xxx.7)|---eth0->local network xxx.xxx.xxx.7
> |    eth1:1                |
> |    eth2:2                |---eth1->local network 192.168.1.1/24
> |  Redhat  7.2             |
> | Shorewall 1.2.6          |---eth2->DMZ 192.168.2.1/24
> |                          |
> +--------------------------+
>         |
>         |
> +-------|----------------+
> |   cisco 5500 switch    |
> | IP:xxx.xxx.xxx.2       |
> +-------|----------------+
>         |
> +-------|----------------+
> |   cisco 5500 switch    |
> | IP:xxx.xxx.xxx.3       |
> +-------|----------------+
>         |
>         |
> +-------|----------------+        +----------------------+
> |   cisco 5500 switch    |---------------------|   cisco 2600 router
|
> | IP:xxx.xxx.xxx.4       |        |    xxx.xxx.xxx.19    |
> | |                   |                      |
> +-------|----------------+        +----------------------+
>         ^            ^
>         |    |
>         |         |
> All IP''s on the same subnet     Different Network
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>

Mike,
>
> You indicated this... "You then need to enter a static host route via
eth0
> to the Cisco 1700 at  xxx.xxx.xxx.1/24"
>
> What file do I do this in and can you give me an example of the entry?
The command is:

route add -host xxx.xxx.xxx.1 dev eth0

..and I believe if you place it in /etc/shorewall/init it will do the trick.

Like so:
touch /etc/shorewall/init
vi /etc/shorewall/init

Then add:
route add -host xxx.xxx.xxx.1 dev eth0

Save the file and do a ''shorewall stop'' then
''''shorewall start''

That will put the route in place prior to shorewall starting.
> Tom,
>
> Thank you for great firewall\product. This is the exact reason why I
choose
> Shorewall.
Me too.  In my situation, there was nothing other than Shorewall that would
do the job so quickly.  The commercial solutions that even approached it
were $10K or more.  Go Tom!

Dan

Michael Martinez wrote:
> Dan,
>
> Thank you for a very clear explanation of how I need to set this up. I
> really appreciate it. I wish I would of asked this sooner. I used vi to put
> all the ip''s (254 lines) in the proxyarp config file a couple of
weeks ago
> :-(.    Excel and\or Word would of been much easier.
Have you guys heard of perl?  :-)

Try this:
    perl -e ''for ($i = 1; $i < 255; ++$i) { printf
"1.2.3.%-4s\t\teth1\t\teth0\t\tNo\n", $i; }'' >>
/etc/shorewall/proxyarp

Adjust the IP address and the number of spaces (in the %-4s) and tabs in the
recipe above appropriately for your configuration, then run the command.  Then
use vi to move the last line marker from before the generated lines to the end
of the file.

Paul
http://paulgear.webhop.net

Actually, all of this scripting would be unnecessary if Shorewall took a
little more liberal view of Proxy ARP. In later 2.2 and 2.4 kernels, Proxy
ARP can be done entirely with the proxy-arp interface flag and the routing
table. The problem is that when Proxy ARP is done that way, it allows
someone probing on your subnet to learn the IP addresses of all of the hosts
conntected to your firewall :-(. By requiring explicit ARP entries,
Shorewall closes this hole while at the same time allowing list subscribers
to champion their favorite scripting language :-)

-Tom

----- Original Message -----
From: "Paul Gear" <paulgear@yahoo.com>
To: <shorewall-users@shorewall.net>
Sent: Tuesday, March 19, 2002 12:03 PM
Subject: Re: [Shorewall-users] ProxyARP

> Michael Martinez wrote:
>
> > Dan,
> >
> > Thank you for a very clear explanation of how I need to set this up. I
> > really appreciate it. I wish I would of asked this sooner. I used vi
to
put
> > all the ip''s (254 lines) in the proxyarp config file a couple
of weeks
ago
> > :-(.    Excel and\or Word would of been much easier.
>
> Have you guys heard of perl?  :-)
>
> Try this:
>     perl -e ''for ($i = 1; $i < 255; ++$i) { printf
> "1.2.3.%-4s\t\teth1\t\teth0\t\tNo\n", $i; }'' >>
/etc/shorewall/proxyarp
>
> Adjust the IP address and the number of spaces (in the %-4s) and tabs in
the
> recipe above appropriately for your configuration, then run the command.
Then
> use vi to move the last line marker from before the generated lines to the
end
> of the file.
>
> Paul
> http://paulgear.webhop.net
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>

Uh, yeah...I''m on page 39 of the Llama book --- but it doesn''t
sum it up as
succintly as you did :)

Dan
----- Original Message -----
From: "Paul Gear" <paulgear@yahoo.com>
To: <shorewall-users@shorewall.net>
Sent: Tuesday, March 19, 2002 2:03 PM
Subject: Re: [Shorewall-users] ProxyARP

> Michael Martinez wrote:
>
> > Dan,
> >
> > Thank you for a very clear explanation of how I need to set this up. I
> > really appreciate it. I wish I would of asked this sooner. I used vi
to
put
> > all the ip''s (254 lines) in the proxyarp config file a couple
of weeks
ago
> > :-(.    Excel and\or Word would of been much easier.
>
> Have you guys heard of perl?  :-)
>
> Try this:
>     perl -e ''for ($i = 1; $i < 255; ++$i) { printf
> "1.2.3.%-4s\t\teth1\t\teth0\t\tNo\n", $i; }'' >>
/etc/shorewall/proxyarp
>
> Adjust the IP address and the number of spaces (in the %-4s) and tabs in
the
> recipe above appropriately for your configuration, then run the command.
Then
> use vi to move the last line marker from before the generated lines to the
end
> of the file.
>
> Paul
> http://paulgear.webhop.net
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>

Tom Eastep wrote:
> Actually, all of this scripting would be unnecessary if Shorewall took a
> little more liberal view of Proxy ARP.
> ...
> By requiring explicit ARP entries,
> Shorewall closes this hole while at the same time allowing list subscribers
> to champion their favorite scripting language :-)
No axe to grind here.  I just think Perl is easier to write complex programs in
than shell.  My geek code entry sums it up thus:

     My tendencies on this issue range from: "Perl is a very powerful
     programming tool. Not only do I no longer write shell scripts, I also
     no longer use awk or sed. I use Perl for all programs of less than a
     thousand lines.", to: "Perl combines the power of sh, the clarity
of
     sed, and the performance of awk with the simplicity of C. It should
     be banned."

:-)

Paul
http://paulgear.webhop.net

And if you set it up a little trick than you can also use ProxyARP Subnetting.
(So you told me before ;-)

Sascha


At 12:12 19.03.2002 -0800, you wrote:
>Actually, all of this scripting would be unnecessary if Shorewall took a
>little more liberal view of Proxy ARP. In later 2.2 and 2.4 kernels, Proxy
>ARP can be done entirely with the proxy-arp interface flag and the routing
>table. The problem is that when Proxy ARP is done that way, it allows
>someone probing on your subnet to learn the IP addresses of all of the hosts
>conntected to your firewall :-(. By requiring explicit ARP entries,
>Shorewall closes this hole while at the same time allowing list subscribers
>to champion their favorite scripting language :-)
>
>-Tom
>
>----- Original Message -----
>From: "Paul Gear" <paulgear@yahoo.com>
>To: <shorewall-users@shorewall.net>
>Sent: Tuesday, March 19, 2002 12:03 PM
>Subject: Re: [Shorewall-users] ProxyARP
>
>
> > Michael Martinez wrote:
> >
> > > Dan,
> > >
> > > Thank you for a very clear explanation of how I need to set this
up. I
> > > really appreciate it. I wish I would of asked this sooner. I used
vi to
>put
> > > all the ip''s (254 lines) in the proxyarp config file a
couple of weeks
>ago
> > > :-(.    Excel and\or Word would of been much easier.
> >
> > Have you guys heard of perl?  :-)
> >
> > Try this:
> >     perl -e ''for ($i = 1; $i < 255; ++$i) { printf
> > "1.2.3.%-4s\t\teth1\t\teth0\t\tNo\n", $i; }''
>> /etc/shorewall/proxyarp
> >
> > Adjust the IP address and the number of spaces (in the %-4s) and tabs
in
>the
> > recipe above appropriately for your configuration, then run the
command.
>Then
> > use vi to move the last line marker from before the generated lines to
the
>end
> > of the file.
> >
> > Paul
> > http://paulgear.webhop.net
> >
> >
> > _______________________________________________
> > Shorewall-users mailing list
> > Shorewall-users@shorewall.net
> > http://www.shorewall.net/mailman/listinfo/shorewall-users
> >
>
>_______________________________________________
>Shorewall-users mailing list
>Shorewall-users@shorewall.net
>http://www.shorewall.net/mailman/listinfo/shorewall-users