[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Proxy ARP for 'transparent firewalling'

Just use a bridge.

man brconfig

and then apply ipf's filtering rules to the inbound interfaces of the bridge
on both the internal and external sides.


-----Original Message-----
From: Jonathan Hunter [mailto:jh-openbsd_(_at_)_ninja_(_dot_)_org_(_dot_)_uk]
Sent: Friday, December 29, 2000 7:38 PM
To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Proxy ARP for 'transparent firewalling'


Apologies if this has been discussed before, but I couldn't find it fully
covered in the list archives or other docs.

I need to set up a machine as a "transparent" firewall between an ADSL
router and our internal machines. Having found an excellent article at
http://lrp.c0wz.com/dox/ProxyARP/3246.html I decided that proxy ARP was the
best way to approach the problem. Reading this article, it would appear that
this works fine on Linux - but I would like to use OpenBSD and ipfilter if
possible. My setup looks like this:

[Internet] -> ADSL Router -> OpenBSD box -> [Internal hosts]

and of course, I am trying to make the OpenBSD box transparent so it looks
like this:

[Internet] -> ADSL Router -> [Internal hosts]

Has anybody yet succeeded at this with OpenBSD? I have seen a couple of
similar requests on this mailing list, but have found no success stories
unfortunately :-(

I have got as far as setting up the routing tables, and adding the static
ARP entries required for both the router and for the internal hosts. Having
done that though, I cannot ping the ADSL router from my internal test host,
nor the test host from the outside world.

The ARP table on the OpenBSD machine looks like this:

? (adsl-router) at [router-MAC]
? (openbsd-box) at [router-facing-MAC] static
? (internal-host) at [router-facing-MAC] static published

>From what I can tell, the Linux version of arp has an extra argument to tell
it which interface to bind the arp entry to. I haven't seen a similar option
in OpenBSD, so what I assume is happening is that when data comes in for the
internal host, the OpenBSD machine already has an ARP entry for it (needed
on the router-facing ethernet interface) and sends the packet out on the
internal wire with this (incorrect) MAC address.

Does this sound likely? I don't know all that much about the internals of
OpenBSD, or indeed the internals of how arp works on Linux - so I could be
barking up the wrong tree here. It's entirely possible that the routing
table on the OpenBSD box, or something else entirely, is screwed, but
looking at it it appears to be fine.

I would guess that if I can somehow tell OpenBSD that this static ARP entry
is just for the one ethernet interface, then things will start working. I'm
not entirely sure where to go from here though - I may try setting up a
Linux box in a similar fashion and see if I can get it going using the Linux
arp command..

And before you ask, the ADSL router is owned by the telco, not us. This
telco has been extremely un-cooperative in this matter, so there's no chance
we can get them to add static routes to the router - we have tried! They
also have a monopoly on ADSL in the country right now, so we can't change to
another telco either :(

Thanks for any pointers you might be able to give me,