On Sunday May 4 2003 07:15 pm, Martin A. Brown wrote: > > I don't have any speculation about why this continues to work for you. I > can certainly understand why outbound packets/frames can successfully > pass the firewall and reach the world, but I do not understand how > machines on the eth0 side of your firewall are resolving a link layer > address for 192.168.1.2. > > So, I don't have an explanation. Can you get us one? > > -Martin Here is a explanation from shorewalls author: On Monday May 5 2003 07:51 pm, Tom Eastep wrote: > > From the 'setup_proxy_arp' function in Shorewall: > > arp -Ds $address $external pub > > echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp > echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp > > Note: $address = the address of the system $external = the external > interface > $interface = the internal interface > > > In other words, I add a persistent ARP cache entry for the address on the > external interface and I turn on the proxy_arp flag for the internal > interface. > > Doing it that way prevents external hosts on the same subnet from being > able to use ARP to probe the configuration of your internal network. > > -Tom Clears it up well. -- Regards Joseph Watson
