[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FW: [geeks] FW: Proxy ARP for 'transparent firewalling'

To: "'misc@openbsd.org'" <misc@openbsd.org>
Subject: FW: [geeks] FW: Proxy ARP for 'transparent firewalling'
From: Josha Richards <JRichards@npr.org>
Date: Tue, 2 Jan 2001 09:05:54 -0500

Hello!
Please pass this on to Jonathan Hunter; Reply from rick @ c0wz :


-----Original Message-----
From: thc@cow.mcrnet.net [mailto:thc@cow.mcrnet.net]
Sent: Monday, January 01, 2001 11:39 PM
To: geeks@angrypacket.com
Subject: Re: [geeks] FW: Proxy ARP for 'transparent firewalling'


Heheh..cool.

However, I found, when using OpenBSD for that purpose, that a
filtering bridge worked better and easier than proxy ARP, in
OpenBSD. You may want to suggest it to him.



On Fri, Dec 29, 2000 at 05:30:44PM -0800, dmuz scribbled:
> hey rick,
> 
> did you see a large spike in your traffic today?
> 
> below is an email from the misc OpenBSD mail list that mentions your site
> c0wz.com! cool!
> 
> 
> dmuz
> 
> -----Original Message-----
> From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org]On Behalf Of
> Jonathan Hunter
> Sent: Friday, December 29, 2000 4:38 PM
> To: misc@openbsd.org
> Subject: Proxy ARP for 'transparent firewalling'
> 
> 
> Hi,
> 
> Apologies if this has been discussed before, but I couldn't find it fully
> covered in the list archives or other docs.
> 
> I need to set up a machine as a "transparent" firewall between an ADSL
> router and our internal machines. Having found an excellent article at
> http://lrp.c0wz.com/dox/ProxyARP/3246.html I decided that proxy ARP was
the
> best way to approach the problem. Reading this article, it would appear
that
> this works fine on Linux - but I would like to use OpenBSD and ipfilter if
> possible. My setup looks like this:
> 
> [Internet] -> ADSL Router -> OpenBSD box -> [Internal hosts]
> 
> and of course, I am trying to make the OpenBSD box transparent so it looks
> like this:
> 
> [Internet] -> ADSL Router -> [Internal hosts]
> 
> Has anybody yet succeeded at this with OpenBSD? I have seen a couple of
> similar requests on this mailing list, but have found no success stories
> unfortunately :-(
> 
> I have got as far as setting up the routing tables, and adding the static
> ARP entries required for both the router and for the internal hosts.
Having
> done that though, I cannot ping the ADSL router from my internal test
host,
> nor the test host from the outside world.
> 
> The ARP table on the OpenBSD machine looks like this:
> 
> ? (adsl-router) at [router-MAC]
> ? (openbsd-box) at [router-facing-MAC] static
> ? (internal-host) at [router-facing-MAC] static published
> 
> >From what I can tell, the Linux version of arp has an extra argument to
> tell
> it which interface to bind the arp entry to. I haven't seen a similar
option
> in OpenBSD, so what I assume is happening is that when data comes in for
the
> internal host, the OpenBSD machine already has an ARP entry for it (needed
> on the router-facing ethernet interface) and sends the packet out on the
> internal wire with this (incorrect) MAC address.
> 
> Does this sound likely? I don't know all that much about the internals of
> OpenBSD, or indeed the internals of how arp works on Linux - so I could be
> barking up the wrong tree here. It's entirely possible that the routing
> table on the OpenBSD box, or something else entirely, is screwed, but
> looking at it it appears to be fine.
> 
> I would guess that if I can somehow tell OpenBSD that this static ARP
entry
> is just for the one ethernet interface, then things will start working.
I'm
> not entirely sure where to go from here though - I may try setting up a
> Linux box in a similar fashion and see if I can get it going using the
Linux
> arp command..
> 
> And before you ask, the ADSL router is owned by the telco, not us. This
> telco has been extremely un-cooperative in this matter, so there's no
chance
> we can get them to add static routes to the router - we have tried! They
> also have a monopoly on ADSL in the country right now, so we can't change
to
> another telco either :(
> 
> Thanks for any pointers you might be able to give me,
> 
> Jonathan
> 
> 
> 
> 
> 
> --
> To unsubscribe, send mail to minordomo@altair.angrypacket.com with a
subject of 'unsubscribe geeks'  
> List archived at http://altair.angrypacket.com/login/mail/minorweb.pl

-- 
rick -- A mind is like a parachute... it only works when it's open.

ICQ# 1590117                           thc@psynet.net (home)   
Help with LRP: http://lrp.c0wz.com     Home page: http://www.c0wz.com

--
To unsubscribe, send mail to minordomo@altair.angrypacket.com with a subject
of 'unsubscribe geeks'  
List archived at http://altair.angrypacket.com/login/mail/minorweb.pl

Prev by Date: kernel compiling: maxusers > 64?
Next by Date: Smart Card Authentication
Prev by thread: kernel compiling: maxusers > 64?
Next by thread: Smart Card Authentication
Index(es):
- Date
- Thread