Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
RE: [suse-security] Connecting firewall directly to router ...
  • From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
  • Date: Wed, 5 Dec 2001 13:36:09 +0100
  • Message-id: <96C102324EF9D411A49500306E06C8D1A56C87@xxxxxxxxxxxxxxxxx>
Disclaimer: I haven't tried any of this myself.

> > I got it to work (with help) by doing a 'arp -i eth0 -s
> > 00:00:00:00:00:00 pub Where eth0 is the outside if and
> is
> > the outside IP address. And of cause the correct MAC address of that
> > interface. But it dident work before I added a route!!!!
> 'route add -host
> > eth1' Where eth1 is the inside of my firewall.
> I've tried several things to get this to work. Does my DMZ
> have to have
> public IPs for this to work?

There is no inherent difference between publiv and private IP addresses. RFC
1918 just reserves a part of the entire address space and forbids its use in
the public Internet.

> I've done this :
> iptables -t nat -A PREROUTING -p tcp --dport 80 -d
> -j DNAT
> --to-destination
> arp -i eth0 -s 00:01:02:50:B8:9E pub
> echo "1" > /proc/sys/net/ipv4/conf/eth0/proxy_arp
> This didn't work. I still get arp requests for
> from the router at
>, but my firewall ( does not answer them.
> I tried to add a route for to route via (DMZ
> interface).

Umm.. I think you've got the order wrong. IMHO and from reading the man
pages, you should do either:

1. echo 1 > /proc/sys/net/ipv4/ip_forward
2. echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
maybe 3. route add -host dev eth1

I don't think step 3 is meant to be necessary.

Or, e.g. if ip_forward is zero, you could do:

1. arp -i eth0 -s <MAC of firewall's eth0> pub

You may have got the MAC address wrong, if you're still seeing ARP requests
going unanswered. Though the Linux box should be responding nevertheless (so
the ARP requests would in fact be answered), it's just that the
corresponding MAC address doesn't exist on the LAN segment.


< Previous Next >