Bradey Honsinger
2003-Jan-10 23:03 UTC
[Shorewall-users] Forcing ISP ARP cache to refresh immediately
>From http://shorewall.net/ProxyARP.htm (and the Setup Guide): > A word of warning is in order here. ISPs typically configure their > routers with a long ARP cache timeout. If you move a system from > parallel to your firewall to behind your firewall with Proxy ARP, it > will probably be HOURS before that system can communicate with the > internet. You can call your ISP and ask them to purge the stale ARP > cache entry but many either can''t or won''t purge individual entries.A reading of Stevens'' _TCP/IP Illustrated, Vol 1_ reveals that a "gratuitous" ARP packet should cause the ISP''s router to refresh their ARP cache (section 4.7). A gratuitous ARP is simply a host requesting the MAC address for its own IP; in addition to ensuring that the IP address isn''t a duplicate, "if the host sending the gratuitous ARP has just changed its hardware address..., this packet causes any other host...that has an entry in its cache for the old hardware address to update its ARP cache entry accordingly." Which is, of course, exactly what you want to do when you switch a host from being exposed to the Internet to behind Shorewall using proxy ARP. Happily enough, recent versions of Redhat''s iputils package include "arping", whose "-U" flag does just that: arping -U -I <net if> <newly proxied IP> arping -U -I eth0 66.58.99.83 # for example Stevens goes on to mention that not all systems respond correctly to gratuitous ARPs, but googling for "arping -U" seems to support the idea that it works most of the time. Has anyone else tried this? I didn''t see any mention of it in the list archives or on shorewall.net, but it looks like it might be worth a mention in the documentation. Trifon and I are going to try it out tonight, if we get that far, so we''ll report back. - Bradey
Tom Eastep
2003-Jan-11 06:56 UTC
[Shorewall-users] Forcing ISP ARP cache to refresh immediately
--On Friday, January 10, 2003 11:03:04 PM -0800 Bradey Honsinger <BradeyH@construx.com> wrote:> > Has anyone else tried this? I didn''t see any mention of it in the list > archives or on shorewall.net, but it looks like it might be worth a > mention in the documentation. Trifon and I are going to try > it out tonight, if we get that far, so we''ll report back. >Thanks Bradey, I''ve updated the Setup Guide and the Proxy ARP page with this information. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net