similar to: Proxy-ARP and rules

I have had to replace an existing setup which has a bunch of IPs Proxy-NAT''ed onto the loc segment. While I do eventually want to move them to their own segment, I have to deal with this for the next few weeks. My problem is that from a loc system I can ping the public IP of a system being proxy-ARP''d but I can''t hit it via HTTP. Nothing is being blocked according

Woops - my fat fingers hit the send key before I could put in a subject a minute ago. Hello - I am using kernel 2.4.27 and running into behavior I don''t know how to explain. I have 2 relevant interfaces. eth0 is external, eth1 is internal. My internal LAN is 10.10.10.0/24. My External range is 1.2.3.0/27 (dummied up). I have an H.323 videoconference device inside my internal

This is some ramblings on why using proxy ARP (on a host in a DMZ) is a good or bad thing. The good is that a computer X retains a public IP address which makes it easy to connect it directly to the net if the firewall has to be taken down for extended periods. Thus, if computer X is a mail server for example, it can still function in a reduced capacity until the firewall is restored. The bad

Can''t get proxy arp with arp -s <IPaddr> <MACaddr> pub to work with a 2.4 kernel. I see some evidence in the archive that this was broken in the 2.0.x timeframe and never fixed. Anyone know for sure if it''s broken or working ? (I''m attempting to route a few addresses into a routed network, from the ethernet side of a DSL router that has a /29 public

From reading the documentation, I understand that it is recommended to put servers that may be at risk in a DMZ served via proxy-arp. In this case, the local clients that are behind a NAT would have their connections to the DMZ masqueraded, yes? Is there any way around this that would still be considered secure? Just looking for advice. Thanks, A.

HI, I''ve got a proxy arp setup with iptables and tc. on eth0 i have a route to 172.16.2.0/24 network on eth1 is the LAN of 172.16.1.0/24 network I have enabled proxy arp on both interfaces. Now accordingly, the interface will respond to all ARP requests for which it has a route to. Noy my setup is such, that a user on the LAN, would like to have an ip from the 172.16.2.0/24 network.

Hi all! I''ve set up a Linux box with shorewall doing proxy arp as per http://www.shorewall.net/shorewall_setup_guide.htm#ProxyARP the 5.2 (non routed) example. Everything is working great except for one thing, and that leads me to my question: is there a conflict between proxy arp and pptp? I''ve set the apropriate ACCEPT rules to allow tcp port 1723 and protocol 47 to the host

Hi, I have a question. I have a routeable /24 netblock including a server at a colocation and I would like to use tincd to tunnel part of that netblock to an internal network on another location being connected to the internet via gateway with DSL link and a single static IP address, so I can use public routable IP addresses on the local network. I have tincd 1.0 pre7 installed on both the local

Hi, The network topo looks like this: the original network: router1 router2 | | |----------------OSPF------------| the target network: (we need to insert a transparent firewall between these 2 routers, so a proxy arp is set up on firewall to bridge router1 and router2) router1 firewall router2 |

Hello alltogether, I''m new to the list, so please excuse any violations of listiquette... I didn''t have to much to do with linux based firewalling and routing for quite a time and found that proxy-arp changed in between... As I struggled with it I found that the Advanced routing... howto wasn''t to helpfull. Especially the documentation seems to be rather vice versa to

Anybody implemented a working proxy ARP with CentOS 5? I am trying to implement DNAT on a dual-homed firewall (servers behind firewall are on private IPs) and that requires proxy ARP. I've tried several different methods but nothing seems to work. Any advice? Is proxy ARP broken on v5? -- Florin Andrei http://florin.myip.org/

Hopefully this is an easy question.... I''m using a leaf router (bearing) running shorewall. Three interfaces net, loc, and dmz. Only one computer in the dmz and its being proxy arp''d. External and internal (net and loc) can reach the dmz but the dmz cannot reach the isp''s gateway and beyond, but can reach a system adjacent to the firewall.

In a previous thread, Tom listed advantages (reproduced below) of Proxy ARP over NAT. They are great reasons, but I have one reservation. By using private addresses with NAT for servers in my DMZ, I can granularly allow specific traffic, such as to/from the SMTP gateway/relay in the DMZ, to connect inbound from the DMZ to an internal (LOC) mail server, and know that it comes only from a

I have tried unsuccessfully to run both Shorewall 1.2.x, 1.3.x with Proxy ARP on a Red Hat 7.2 machine. The machine was configured as the external firewall as per the ''belt and suspenders'' layout given at http://www.skippy.net/linux/firewall/ The firewall appeared to function correctly in all functions except proxy ARP, however I must say I did not test exhaustively. After

Hello list I''m considering moving shorewall to a xen domu and the using the Proxy ARP method (we use NAT today). Is it possible to have a Proxy ARP firewall inside a domu serving requests to other domus with public IP-addresses placed on separate hardware (not the hardware the domu with the firewall is on) ? I figure that there''s a problem since it''s different bridges

Hi All, >From the documentation I have read on Shorewall, the preferred approach seems to be, to use Proxy ARP instead of Static NAT for hosting web servers in the DMZ Zone. But I have also read that this could cause problems for VPN configurations. I essentially have multiple public IP''s, which I want to map to private addresses in the DMZ. I also intend to setup a gateway between 2

Here is a puzzle. I have a network with several servers. It''s a mess. It''s a /24 and pieces and servers are all over the place inside this /24 block, on both sides of the firewall. For example, the router at 1.2.3.1 is outside the firewall and many of the servers at 1.2.3.nnn/24 are behind the firewall. (Obviously, 1.2.3.nnn is a fudged network.) eth0 points outward to

I found the problem! It was me and it was dumb... This was the network layout: 10.10.10.0/24 1.2.3.0/27 10.10.10.n internal hosts | <----+-----+--------+ +-------+------>to the Internet | | | | Proxied | | | H.323 device Firewall Router eth1 eth0 1.2.3.11

hello there, im running a 3interface inet, dmz, loc. i have some public ip addresses. one public address is the router of the provider, the second one is the linux box running shorewall. all other public interfaces are on the dmz nic with proxy-arp. now whenever i do a traceroute (the dmz boxes are windows, icmp traceroute) the very first hop gets timeout/stars, then the router of the provider

>From http://shorewall.net/ProxyARP.htm (and the Setup Guide): > A word of warning is in order here. ISPs typically configure their > routers with a long ARP cache timeout. If you move a system from > parallel to your firewall to behind your firewall with Proxy ARP, it > will probably be HOURS before that system can communicate with the > internet. You can call your ISP and ask