hi joseph, ok, got the picture. as far as i know, it would be difficult to tinker with proxy_arp, but you could always turn off arp on the "public" interface with ifconfig. #ifconfig eth0 -arp this is a tactic employed by the linux virtual server project, and *might* do what you want. couldn't test here because of some particularities with my setup. a shame that bridging doesn't allow netfiltering (iptables) control -- this would correspond most closely to your goal -- a transparent layer 2 bridge, with layer 3 filtering. clearly, iptables rules on the INPUT and OUTPUT chains pursuant to the firewall itself should minimize your risk best of luck christopher cuse On Sat, 2003-05-03 at 17:27, Joseph Watson wrote: > On Saturday May 3 2003 03:33 am, you wrote: > > Hi Joseph, > > > > I took a look more closely at your schema ... > > > ...snip... > > > > i'm having a bit of trouble understanding exactly what you're trying to > > achieve here. > > Well let me try to explain a different way. Lets say I have a working network > with servers providing web pages, dns, mail, etc.... Now I want to put all > the servers behind a firewall and not have to change my network around by > subneting or masqerating. So proxy_arp fits the picture well, all I may have > to do is flush arp cache or wait for a timeout. I did this using shorewall, > and it is working great. Now my question: > > In my current setup, my firewall has a address on my public network (the same > network as my servers). Is it possable to set up proxy_arp so that the > proxy_arp-firewall does not have a identity on the public network? This > would make it transparent and a little more secure because there would be no > possible way for someone to try to access the firewall directly?? > > > ..snip... > > > > > 192.168.1.0/24 dev eth0 scope link > > 192.168.3.0/24 dev eth1 scope link > > 127.0.0.0/8 dev lo scope link > > > > your routing table is missing localhost, or did you <snip> it? check. > > > > I did snip out all but the routes that pertained to proxy_arp setup :) > > -- > Regards > > Joseph Watson > _______________________________________________ > LARTC mailing list / LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
