Maybe I'm misinformed, will a setup such as this even work? I had the machine strangely plugged in to the network when I did my testing, so its quite possible that it was using the internal network. Even though the test client had an external IP from which I was testing. But will this work from the external interface? My understanding is that the firewall will reply to arp requests for each (30) external IP address we have with its own MAC address, thus tricking computers on the internet in to sending packets destined for any of our external IPs to our firewall. From there the firewall can route the packets to each client behind it with little difficulty? Does this sound plausible to you? Or do you know of a better way to setup a firewall that wont cause problems with such applications like netmeeting? Thanks. At 01:03 PM 12/20/00 +0000, you wrote: >Mike Benoit wrote: > > > I'm working on setting up a firewall for my local LAN. We will using VoIP > > applications extensively, so ip-masquerading unfortunately wont cut it. So > > I'm trying to figure out how to setup a firewall, I have 30 external > (real) > > IPs, and about 25 client machines. So our ISP doesn't have to get > involved, > > I figured I would use proxy arp to take care of incoming packets, and NAT > > for outgoing. > > > > Here is what I'm doing in regards to proxy arp: > > > > echo 1 > /proc/sys/net/ipv4/ip_forward > > echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp > > arp -Ds 207.102.201.189 eth1 pub -v > >The last line should be unnecessary if you have the second, and you >have the necessary routes (which you need anyway). > > > [root@firewall /root]# arp -an > > ? (207.102.201.189) at * PERM PUP on eth1 > > > > [root@firewall /root]# cat /proc/net/arp > > > 207.102.201.189 0x1 0xc 00:00:00:00:00:00 * eth1 > > > > This is weird, even though I specify the MAC address I want to use for arp > > replies, it doesn't record this MAC address anywhere it seems. When I > go to > > a client machine and try to ping 207.102.201.189, then check the arp table > > on that client, > > > > 207.102.201.189 00-d0-b7-74-52-57 dynamic > > > > I get the MAC address of eth0 on my firewall box. (It should be the MAC > > address of eth1 on the firewall.. [external interface]) This also seems to > > be the same for any IP I throw at it in the same subnet. > >This strongly suggests that your clients are connected to eth0, not to >eth1. In which case: > >a) any ARP entries which you specify for eth1 won't apply, and > >b) there wouldn't be any point in returning eth1's MAC address, as >it's of no use on the segment which is connected to eth0. > > > ie: > > > > 207.102.201.161 00-d0-b7-74-52-57 dynamic > > > > Makes no difference if I manually set arp table entries or not, it always > > replies with the MAC address of eth0 on the firewall. Anyone know how I > can > > change this so its replying with any MAC address I specify, or at least > the > > mac address of ETH1 like its supposed to? > >If the clients /are/ connected to eth0, then what you are asking for >is both impossible and pointless. > >-- >Glynn Clements <glynn@sensei.co.uk> - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org
