Shorewall users - May 2003 - Proxy-arp

Hello,

I have a question about proxy-arp that maybe this list could help with.  I am 
using shorewall and proxy-arp for a long time now, and it works great.  I use 
it to move ip''s from the wan to my dmz just like the how-to''s
show.  Now I
wanted to use proxy-arp on a machine that is not using shorewall, so I must 
set it up myself.  I have been reading all the howto''s I  can find
about
proxy-arp and they all say one basic thing.  If I want to move a ip from eth0 
to eth1, I should turn on proxy-arp on both eth0 and eth1.

echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp

But as far as I can tell shorewall only turns proxy_arp on for one interface?  
But it works.  This makes me very curious.  

Here is the working configuration of my testing firewall using proxy 
arp:

    192.168.1.0/24
              |
   eth0: 192.168.1.1
        Firewall
   eth1: 192.168.3.1
              |
      192.168.1.2

There are the following routes used by proxy-arp:
 192.168.1.2 dev eth1  scope link
 192.168.1.0/24 dev eth0  scope link

This moves host 192.168.1.2 from the public network to the dmz behind the 
firewall.  Where I am confused is when I check the proxy_arp settings:

[]# cat /proc/sys/net/ipv4/conf/eth0/proxy_arp
0
[]# cat /proc/sys/net/ipv4/conf/eth1/proxy_arp
1
[]#cat /proc/sys/net/ipv4/conf/all/proxy_arp
0

Why is proxy_arp not turned on for eth0??  Every howto I can find says to turn 
on proxy_arp for both interfaces.

Maybe someone has a link to some more information or some advice?

-- 
Regards

Joseph Watson

On Mon, 5 May 2003 19:29:17 -0400, Joseph Watson <jtwatson@datakota.com> 
wrote:
> Hello,
>
> I have a question about proxy-arp that maybe this list could help with.  
> I am using shorewall and proxy-arp for a long time now, and it works 
> great.  I use it to move ip''s from the wan to my dmz just like the
how-
> to''s show.  Now I wanted to use proxy-arp on a machine that is not
using
> shorewall, so I must set it up myself.  I have been reading all the 
> howto''s I  can find about proxy-arp and they all say one basic
thing.  If
> I want to move a ip from eth0 to eth1, I should turn on proxy-arp on both 
> eth0 and eth1.
>
> echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
> echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
>
> But as far as I can tell shorewall only turns proxy_arp on for one 
> interface?  But it works.  This makes me very curious.
>
> Here is the working configuration of my testing firewall using proxy arp:
>
> 192.168.1.0/24
> |
> eth0: 192.168.1.1
> Firewall
> eth1: 192.168.3.1
> |
> 192.168.1.2
>
> There are the following routes used by proxy-arp:
> 192.168.1.2 dev eth1  scope link
> 192.168.1.0/24 dev eth0  scope link
>
> This moves host 192.168.1.2 from the public network to the dmz behind the 
> firewall.  Where I am confused is when I check the proxy_arp settings:
>
> []# cat /proc/sys/net/ipv4/conf/eth0/proxy_arp
> 0
> []# cat /proc/sys/net/ipv4/conf/eth1/proxy_arp
> 1
> []#cat /proc/sys/net/ipv4/conf/all/proxy_arp
> 0
>
> Why is proxy_arp not turned on for eth0??  Every howto I can find says to 
> turn on proxy_arp for both interfaces.
>
> Maybe someone has a link to some more information or some advice?
>
>From the ''setup_proxy_arp'' function in Shorewall:
	arp -Ds $address $external pub

	echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp
	echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp

Note: $address   = the address of the system 	$external  = the external 
interface
	$interface = the internal interface


In other words, I add a persistent ARP cache entry for the address on the 
external interface and I turn on the proxy_arp flag for the internal 
interface.

Doing it that way prevents external hosts on the same subnet from being 
able to use ARP to probe the configuration of your internal network.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Monday May 5 2003 07:51 pm, Tom Eastep wrote:
>
> From the ''setup_proxy_arp'' function in Shorewall:
>
> 	arp -Ds $address $external pub
>
> 	echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp
> 	echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp
>
> Note: $address   = the address of the system 	$external  = the external
> interface
> 	$interface = the internal interface
>
>
> In other words, I add a persistent ARP cache entry for the address on the
> external interface and I turn on the proxy_arp flag for the internal
> interface.
>
> Doing it that way prevents external hosts on the same subnet from being
> able to use ARP to probe the configuration of your internal network.
>
> -Tom
Thankyou very much Tom, that clears it up very well.

-- 
Regards

Joseph Watson