Hi, I have shorewall 3.0.4 configured on CENTOS 4.2 as an invisible bridging firewall. (The bridge has no IP address). Everything is working correctly, however I''m getting a lot of ARP requests from my internet connection and I''d like to know if it''s possible to have the shorewall box proxyarp to quiet things down. My network is pretty simple as diagrammed below: Internet <-> DSL modem/router <---> shorewall bridge (No IP) <----->218.239.65.96/27 network of machines. According to Ethereal, I''m getting up to 10 Arps a second from the Modem. (Script kiddies anyone?? Is this a high number for a 192K modem?) I''m thinking that if the shorewall box proxyarps to the modem, the modem will then send along the incoming packet, and the shorewall box will step in and filter as appropriate. I tried entries in the proxyarp file of: 218.239.65.96/27 eth1 eth0 yes => complains no such host: 218.239.65.96/27 218.239.65.97 eth1 eth0 yes and 218.239.65.97 eth1 eth0 no yes ==> the error message is "RTNETLINK answers: no such device" Finally, I tried 218.239.65.97 br0:eth1 br0:eth0 no yes ==> the error message is Cannot find device: "br0:eth1" How do I do this? Is it even possible?? An improvement to this might be accepting 218.239.65.96/27 notation in the proxyarp file if possible. Thanks, -Robert ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Thursday 06 April 2006 11:14, Robert Winter wrote:> > How do I do this? Is it even possible?? >It is not possible. Proxy ARP is a way to fake out layer two so that layer three routing can then take over. A bridge with no IP address has no layer three routing that can take over. And if you added proxy arp to a bridge that did have an IP address, it would no longer be a bridge. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> I have shorewall 3.0.4 configured on CENTOS 4.2 as an invisible > bridging firewall. (The bridge has no IP address). Everything is > working correctly, however I''m getting a lot of ARP requests from my > internet connection and I''d like to know if it''s possible to have the > shorewall box proxyarp to quiet things down. My network is pretty > simple as diagrammed below: > > Internet <-> DSL modem/router <---> shorewall bridge (No IP) > <----->218.239.65.96/27 network of machines. > > According to Ethereal, I''m getting up to 10 Arps a second from the > Modem. (Script kiddies anyone?? Is this a high number for a 192K > modem?)Hi Robert I would guess that the ARPs you are seeing are legitimate and generated by your DSL modem/router. The router has to use ARP to get the MAC addresses of your local machines (and maybe it is badly programmed so that it issues more ARP-requests than necessary). I doubt that ARPs will be routed by an IP-based router, so I don''t think they originate from the internet. Rune ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642