RE: [suse-security] Connecting firewall directly to router ...
I read the man page for arp. It says that the kernel does automagic arp if a route exists between the subnets.
Did you also do 'man 7 arp'? That page says that the interface in question has to have proxy arp enabled. It's a sysctl thing, check /proc/sys/net/ipv4/conf/<IF>/proxy_arp. Cheers Tobias
I too had problems with proxy arp.
I got it to work (with help) by doing a 'arp -i eth0 -s xxx.xxx.xxx.xxx 00:00:00:00:00:00 pub
Where eth0 is the outside if and xxx.xxx.xxx.xxx is the outside IP address. And of cause the correct MAC address of that interface.
But it dident work before I added a route!!!! 'route add -host xxx.xxx.xxx.xxx eth1'
Where eth1 is the inside of my firewall.
Hope you can make it work.
Regards
Søren Kent Jensen
----- Original Message -----
From: "Reckhard, Tobias"
I read the man page for arp. It says that the kernel does automagic arp if a route exists between the subnets.
Did you also do 'man 7 arp'? That page says that the interface in question has to have proxy arp enabled. It's a sysctl thing, check /proc/sys/net/ipv4/conf/<IF>/proxy_arp.
Cheers Tobias
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Mon 03 Dec 01 22:12, Søren Kent Jensen wrote:
I too had problems with proxy arp.
I got it to work (with help) by doing a 'arp -i eth0 -s xxx.xxx.xxx.xxx 00:00:00:00:00:00 pub Where eth0 is the outside if and xxx.xxx.xxx.xxx is the outside IP address. And of cause the correct MAC address of that interface. But it dident work before I added a route!!!! 'route add -host xxx.xxx.xxx.xxx eth1' Where eth1 is the inside of my firewall.
Hope you can make it work.
Regards Søren Kent Jensen
Hi I've tried several things to get this to work. Does my DMZ have to have public IPs for this to work? I've done this : iptables -t nat -A PREROUTING -p tcp --dport 80 -d 66.8.45.171 -j DNAT --to-destination 192.168.1.171:80 arp -i eth0 -s 66.8.45.171 00:01:02:50:B8:9E pub echo "1" > /proc/sys/net/ipv4/conf/eth0/proxy_arp This didn't work. I still get arp requests for 66.8.45.171 from the router at 66.8.45.161, but my firewall (66.8.45.162) does not answer them. I tried to add a route for 66.8.45.171 to route via 192.168.1.1 (DMZ interface). Any more ideas? Ray
participants (3)
-
Ray Leach
-
Reckhard, Tobias
-
Søren Kent Jensen