thr3ads.net - Shorewall users - Proxy-ARP blurb [Mar 2004]

If this information is useful, please help other people find it:
Share via:
mollo
2004-Mar-03 19:20 UTC
Proxy-ARP blurb

Hello list!

Again, not really a strict Shorewall issue, but if someone can give me some
tricks..

I''ve experimented a kind of "ARP table corruption", and I
hope to know some of the ways for avoiding in the future same problems.

I''m running Shorewall 1.4.10c / 2.4.24 / iptables 1.2.6a on a woody
i386.

Because my ISP only gave me ONE range (64.24.247.96/27) i''m using
Proxy-ARP as follow :

net external interface to ISP Router
eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:a0:cc:3b:XX:XX brd ff:ff:ff:ff:ff:ff
    inet 64.24.247.98/27 brd 62.255.255.255 scope global eth0

dmz
eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:50:da:8d:XX:XX brd ff:ff:ff:ff:ff:ff
    inet 64.24.247.99/27 brd 62.255.255.255 scope global eth1

lan
eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:a0:cc:79:XX:XX brd ff:ff:ff:ff:ff:ff
    inet 192.168.105.129/27 brd 192.168.105.255 scope global eth2

LAN is not actually used, no hosts connected.

ip route :
64.24.247.110 dev eth1  scope link 
64.24.247.105 dev eth1  scope link 
64.24.247.100 dev eth1  scope link 
64.42.247.119 dev eth1  scope link 
64.24.247.115 dev eth1  scope link 
64.24.247.96/27 dev eth0  proto kernel  scope link  src 64.24.247.98 
64.24.247.96/27 dev eth1  proto kernel  scope link  src 64.24.247.99 
192.168.105.128/27 dev eth2  proto kernel  scope link  src 192.168.105.129 
default via 64.24.247.97 dev eth0 

#ZONE	 INTERFACE	BROADCAST	OPTIONS
net      eth0           detect          norfc1918,dropunclean,blacklist
dmz      eth1           detect		
lan      eth2           detect


Proxy Arp is defined as follow :
#ADDRESS		INTERFACE	EXTERNAL        HAVEROUTE
64.24.247.100		eth1		eth0		No
64.24.247.105		eth1		eth0		No
64.24.247.110		eth1		eth0		No
64.24.247.115		eth1		eth0		No
64.24.247.119		eth1		eth0		No

Last week the arp table was "corrupted", and all traffic from DMZ
-> NET and NET -> DMZ endding in dead loop between eth0 and eth1. My
rrdtools graphs (thanks mrtnk) show this increasing traffic and static ram used
growning about of 50mb..

Does have I make any mistake here, or can my ARP cache be attacked from remote ?


Thanks, 
Mathieu
--
Shorewall users - Mar 2004 - Proxy-ARP blurb

Proxy-ARP blurb
